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ABSTRACT 


The terminal and the user module are authenticated in a 
combined manner on the basis of an authentication key 
calculated on the one hand by the terminal and on the other 
hand by the networL A session key is firstly calculated by 
the user module on the basis of a secret user key, of a 
terminal identification parameter and of a first random 
number. Calculation of the authentication key by the termi- 
nal involves this session key calculated by the user module, 
a secret terminal identification key and a second random 
number. The network calculates in the same way tiie session 
key and the authentication key by retrieving the secret keys 
on the basis of the identification parameters transmitted by 
the teiminal. The tenninals can then be authenticated by the 
network independently of the associated user modules. 

6 Qainis, 3 Drawing Sheets 
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PROCESS OF COMBINED 
AUTHENTICATION OF A 
TELECOMMUNICATION TERMINAL AND 
OF A USER MODULE 

BACKGROUND OF THE INVENTION 

The present invention relates to a process for controlling 
access to a telecommunications network by means of a 
terminal operating together with a user module. It finds an 
application in any communication system requiring authen- 
tication of the terminals. 

Procedures are known, for example from EP-A-0 552 
392, which make it possible mutually to authenticate a user 
module and a terminal. These procedures enable the user to 
be assured of the authenticity of the terminal to which he 
presents his module. On the other hand, they do not advise 
the network regarding the authenticity of the terminal or of 
die module. 

The communication network needs to ascertain and verify 
the identity of the users in order to ensure proper routing of 
the communications and to allow billing. Most often, as for 
example in the case of the European cellular radio telephone 
(GSM), each terminal is associated with a single user, and 
authentication of the terminals and of the users is merged 

Currently, the concept of personal mobility is developing, 
and there is a desire to enable the terminals to be shared by 
several users. This entails separation between the manage- 
ment of the users and that of the terminals. 

Under the layout currently applied to the current GSM 
network, authentication pertains solely to Ike user modules. 
The terminal contains no specific security data. Withdrawal 
of the user module entails the absence of the authentication 
data related to the terminal. Hie latter then becomes dormant 
and is no longer contactable. When it is moved, especially 
during a location update procedure, it is the user module 
(SIM) which is authenticated (see the article 'TJne applica- 
tion de la carte a microprocesseur le module d*identit6 
d*abonn6 du radiot^l^hone num^que curop^cn" (An 
application of the miaoprocessor card: the subscriber iden- 
tity module of the European digital radio telq)hone) by P. 
Jolie et al., published in TEcho des Redierches No. 139, 1st 
quarter 1990, pages 13 to 20). Moreover, if the terminal is 
envisaged as being shareable by several users for receiving 
comnmnications, it becomes possible for several users to be 
logged onto the same terminal during a location update. It 
can h^pen that the terminal does not physically possess a 
user module during a location update; in this case, authen- 
tication is impossible and the location update fails, seeing 
that it must be impossible for the terminals to use radio 
resources without being associated with users. 

In view of the foregoing, a main object of the present 
invention is to provide a flexible procedure for the combined 
authentication of a user module and of a te rmin al. 

SUMMARY OF THE INVENTION 

The invention proposes a process for controlling access to 
a telecommunications network by means of a terminal 
operating together with a user module, in which a session 
key is calculated, on the one hand by the user module and 
on the other hand by the network, on the basis of data which 
include a user identification key held secretly in a memory 
of the user module and a first random number provided by 
tile network, the network retrieving the user identification 
key on the basis of a user identification parameter issued by 
the terminal. The terminal calculates an authentication key 
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on the basis of data whidi include the session key calculated 
by the user module, a terminal identification key held 
seaetly in a memory of the terminal and a second random 
number provided by the network. The network calculates in 

5 the same way the authentication key on the basis of data 
which include the session bey calculated by the network, the 
terminal identification key retrieved by tiie network on the 
basis of a terminal identification parameter issued by the 
terminal and the second random number. The terminal is 

10 authorized to access the network in the event of concordance 
between the authentication keys calculated by the terminal 
and by the network. 

The session key serves to control the user modules, 
whereas die authentication key serves to control the user 

15 modules (via the session key) and the terminals in a com- 
bined manner. This mode of access control offers great 
flexibili^. In particular, the terminals and the users can be 
managed by different entities. Thus, when die network 
comprises an access system and one or more user manage- 

20 ment units, the session key calculations are performed at 
user management unit level (under the control of the service 
provider), whereas the authentication key calculations are 
perfcTmed at access system level (under the control of the 
network operator). 

^ Preferably, tiie terminal stores tiie user identification 
parameter and the session key calculated by the user module, 
and the network stores the user identification parameter and 
the terminal identification parameter which are received 
ficom tile terminal as well as the session key calculated by the 
network. In tiiis way, f^ysical association of tiie user module 
with the terminal is no longer indispensable when a subse- 
quent authentication procedure is performed, since it is no 
longer necessary to recalculate a session key each time. This 
advantage is particularly important in cellular radio tele- 

^ phone networks, for which authentication procedures are in 
general performed during eadi location update of a mobile 
station. 

Witii die process according to die invention, it is possible 
^ to envisage "signing on" several users to the same terminal. 
Access to the network by the terminal can be authcHized for 
each of the user modules presented in succession to the 
terminal, without throwing off the previous users. There is 
thus provision for the tenninal to store tiie user identification 
^5 parameters relating to each of the modules which were 
presented in succession to it, and at least one session key 
calculated for one of these modules, and provision for tiie 
network to store the user identification parameters relating to 
each of tiiese modules, the terminal identification parameter 
and at least the session key calculated by the network in 
relation to said one of ttiese modules. 

BRIEF DESCRIFnON OF THE DRAWINGS 

FIG. 1 is a schematic layout of a cellular radio telephony 
55 network and of an associated mobile station, for the insple^ 
mentation of the invention. 

FIGS. 2 and 3 are charts illustrating the stq)s of autiien- 
tication procedures performed in accordance with the pro- 
cess according to the invention. 

60 

DESCRIFnON OF PREFStRED 

EMBODIMENTS 

The invention is described below in its ^plication to a 
cellular radio telephony network. A person skilled in the art 
65 will understand that tiie process is readUy generalizable to 
other types of telecommunications network FIG. I illus- 
trates the well-known architecture of the European radio 
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telq^one network GSM. For a general description of this The mode of communication between the components of 

network reference may be made to the article **L& syst^me a mobile station and of the cellular network is conventional 

cellulaire num6rique europeen de communication avec les and will not be detailed further here. It will be possible in 

mobiles" (The European digital cellular system for commu- this respect to refer to the article by B. GHUXEBAEKT et 

nication widi mobiles) by B. Ghillebaert et al., published in 5 aL cited earlier. Only the access control process of relevance 

TEcho des Recherches No. 131, first quarter 1988, pages 5 to the present invention will be described below, with 

to 16. reference to HGS. 2 and 3. 

The cellular network comprises an access system SAA, The access control process employs two distinct crypto- 
and one or more user management units HLR. The access graphic functions AG and AT. The first function AG is 
system SAA is connected to a wire telephone network STN jq applied at the level of the modules SIM and of the manage- 
to enable mobile users to communicate with subcribers to nient units HLR in order to calculate session keys Ks. The 
the wire network. The access system SAA includes a numbo* algorithm of the function AG is therefore stored both in the 
of base stations BS scattered around the region covered, modules SIM (in a protected area of the memory 15) and in 
which provide for the radio interface with the mobile the HLRs. The function AG is not necessarily identical for 
stations. Each base station BS is operated by a base station jj all the service providers managing HLRs. In the embodi- 
controUer BSC connected to a mobile service switching ment described, the function AG has three arguments: (1) the 
centre MSG seaet identification key Ku of &e relevant user, (ii) the 

For management of users, the management unit, or home identification parameter IMTI of the relevant terminal, and 

location register HLR includes a database 10 in which are i^) ^ random number Rl provided by the network The 

stared the information required for management of the 20 can of course include other arguments (for 

coimnunications by a number of mobile subscribers. Itie example the identification parameter IMUI of the relevant 

database 10 is associated with processing circuits 11 which "ser), if it is desired to obtain greater diversity witiiin the 

carry out calculations and data exchanges serving in the session keys Ks. 

management of the communications. The access system A second cryptographic function AT is applied in order to 

SAA further comprises visitor location registers VLR each 25 calculate authentication keys SRES on the one hand at the 

associated with one or more switching centres MSG. A VLR level of the terminals PA, and on the other hand at the level 

comprises a database 12 containing a copy of the records of of the access system SAA, or specifi.cally at the level of the 

the HLRs for all the mobile subscribers who are found relevant visitor location register VLR. The algoritimi of the 

within the cells dependent on the switching centre(s) MSG function AT is therefore stored both in the terminals (in a 

in question, and associated processing circuits 13. 30 protected area of the memory 17) and in tiie VLRs. In the 

A mobile station able to communicate with the cellular embodiment described, the function AT has three arguments: 

network comprises a terminal PA associated with a user (i) t^c session key Ks calculated by means of the first 

module SIM. The module SIM talxs either the form of a function AG, (ii) die secret identification key D of the 

memory card, or the form of a plug-in component in which relevant terminal, and (iii) a second random number R2 

are stored various user-specific data, including his identifi- 35 provided by the network. Of course, the function AT may 

cation parameter IMUI and his seaet user identification key include other arguments (for exan:^)le the identification 

Ku. The identification key Ku is stored in a protected area of parameter IMTI of the relevant terminal), if it is desired to 

the memory 15 of the module SIM. It is also stored in the obtain greater diversity within the authentication keys 

database 10 of the HLR to which the user pertains, in SRES. 

correspondence with the identification parameter IMUL The 40 A procedure for signing-on and authorizing a usa at a 

key Ku is never transmitted between two functional com- terminal PA is illustrated in FIG. 2. When the user presents 

ponents involved in a communication for security reasons. his module SIM to the terminal (or when powering up the 

Management of the parameters IMUI and secret keys Ku is terminal physically associated with the module SIM), the 

therefore carried out by the operator of the netw(S'k who has module SIM transmits the user identification parameter 

responsibility for the HLR and who delivers the user mod- 43 IMUI stored in its memory 15 to the terminal PA. The 

ules SIM. The memory 15 of the module SIM is associated terminal then issues a sign-on request which includes the 

witii processing circuits 16 which perform calculations and parameter IMUI which it has just received from the module 

carry out data exchanges with the terminal PA. SIM and its own identification parameter IMTI stored in its 

For the inq)iementation of the process according to the memory 17. The access system SAA routes the sign-on 

invention, the terminal PA also includes a memory 17 in 50 request to the relevant VLR. The VLR then generates two 

which are stored terminal-specific data, including the tcnni- random numbers Rl, R2 and transmits them to the terminal 

nal identification parameter IMTI and the secret terminal PA through the access system. The VLR also informs the 

identification key D. The memory 17 is associated with relevant HLR of the sign-on request and transmits to it the 

processing circuits 18 which perform certain calculations identification parameters IMUI, IMTI together with the first 

involved in the authentication procedure, and which carry 55 random number Rl. 

out data exchanges on the one hand with the module SIM The terminal PA then conununicates its identification 

and on the other hand with the access system SAA. Provi- parameter IMTI and the first random number Rl to the 

sion may be made for the seaet keys D to be related to the module SIM. The module SIM calculates the session key 

corresponding identification parameters IMTI through a Ks=AG (Ku, IMTI, Rl) and transmits it to the terminal PA. 

secret function known only to the operator of the network, 60 The terminal calculates the audientication key SRES on the 

which writes the key D=f (IMTI) into a protected area of the basis of the session key Ks which it has just received from 

memory 17 of each terminal The network (VLR) is then die module SIM, of its seaet identification k^ D, and of the 

capable of retrieving the key D relating to a terminal on the second random number R2: SRES^AT (Ks, D, R2). This 

basis of its identification parameter IMTL When such a authentication key SRES is sent by die terminal to the VLR 

seaet function f is called upon, the network has no need to 65 through the access system. 

employ a nominal database of all the available terminals nor On the basis of the user identification parameter IMUI 

to determine the network of origin of each terminal. which it has received from the VLR, the HLR retrieves from 
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its database 10 the secret key Ku associated with this identification parameter of the terminal I\fn. The VLR then 

parameter IMUI It then calculates the secret key Ks=AG seardies its database 12 for whether it has stwed a session 

(Ku, IMn, Rl) and transmits it to the VLR. On the basis of key Ks in connection with the parameters IMUI and ivm 

the terminal identification parameter IMn which it has w t> • i - ^ .x.-««tt 

received from the terminal PA, the VLR retrieves the assc^ 5 «„?^^.^^''?.'''''^ 

dated secret key D=f(IMT[). It then calculates the authen- andjmT, then U is the case of a location u^^ 

tication key SRES on the basis of the session key Ks which 1?* ^^^^^^ ^ ^® ^^^^ °^ ^^cr 

. it has received from the HLR, of the terminal identification wentificaUon parameter IMUI, the VLR is enabled to deter- 

key D which it has retrieved, and of the second random ^® ^® managing the user's communications. It 

number R2: SRES=AT (Ks, D, R2). The YLR next conqjares transmits the parameters IMUI and IMTI to this HLR. The 

the authentication key SRES which it has calculated itself relevant HLR then retrieves from its database 10 the session 

with that which it has received from the terminal PA, so as ^ associated with the user IMUI and with the tcnninal 

to determine \^1iether die terminal should be authorized to transmits this session bey Ks to the VIK. The 

access the network. In the event of conconiance between the generates a random number R2 which it transmits 

authentication keys, authorization is given to the terminal PA terminal PA through the access system. The terminal 

which then stores the user identification parameter IMUI and PAcalcuiatesanauthenticationkBy SRES on the basis of the 

the session key Ks which it has received from the module session key Ks which it has previously stored, of its secret 

SIM. On its side, the VLR stores the identification param- identification key D and of the random number R2 which it 

cters IMUI and IMTI, as weU as the session key Ks which has just received from the VLR: SRES=Ar(Ks.D,R2). This 

it has received from the HLR, then it aUocates the IMUI/ authentication key SRES is transmitted by the terminal PA 

IMTI session a roaming number MSRN which it commu- ^ ^^^^^ the VLR retrieves the secret terminal 

nicates to the HLR. The HLR can then store the datarelating identification key D on the basis of the parameter IMTI 

to the user identified by the parameter IMUI, namely the received. It tiien calculates the authentication 

terminal identification parameter IMTI, the session key Ks ^^^^ ^he session key Ks which it has 

calculated by the HLR, and the roaming number MSRN „ received from the HLR, of the key D which it has just 

allocated by the VLR. retrieved, and of the random number R2: SKES=Ar (Ks, D, 

Authentication therefore pertains both to the user module R2)-The VLR compares the authentication key SRES which 

(through the session key Ks) and to the tenninal. it has just calculated with that which it has received from the 

Oncethesign-onandauthenticationprocedureillustnited !?!Z.>i^^ concordance it^ves 

innG.2has^nated,theuser can ^thdraw his module 30 SSn^c ^^Jf^^^^^ 

SIM whilst remaining signed-on to the terminal PA. In the ™^'^^r^^ 

event of an outside ^ hitended for this user, the HLR is the session key Ks whidi it has 

interrogated and retrieves the relevant VLR on the basis of l^^^^^J^! ^ 3^ "^^^^ " 'T^^ 

the roaming number MSRN associated with this user IMUI J^' '^'^ 

HieVLRcLthendeterminethebasestationBSwithwhlch 35 Sfn^fiLt ^m^'^^^^ 

theterminalPAtowhichtheuserissigned-oncancommu- '^"-^fm^^ 

* — • ^ 1. ^ 1.1 . 1. J .^t_ I ne HLR lastly informs the old VLR, to which the user 

nicate. Commumcation can be established without a new . , / , *u ♦ li 1 7 T 

session Ijy Ks bdng ca,cul«ed ^at is to say .iU,out ^^tinTHfuri'^^S LZ^^"^ 

user needing to reinsert his module SIM. In the event of a ^ xi ouu w icimmm xwix a. 

call emanating from the mobile user, diere is provision 40 If the VLR initiaUy finds a session key Ks associated with 

preferably for the latter to have to reinsert his module SIM identification parameter IMUI, IMTI, then it is the case 

and for the sign-on and authorization procedure illustrated in * location update without change of VLR The authenti- 

FIG. 2 to be repeated. cation procedure applied is then the same as that illustrated 

After sign-on and authorization of the user IMUI and ^ the stepsrcpresented surrounded by 

withdrawal of this users's module SIM, it is possible to sign 45 ^""^^ hncs need not be performed. In this case, no 

on another user IMUT to the same terminal. The procediffe exchange of data between the VLR and the HLR is neces- 
qjplied is essentially the same as that illustrated in FIG. 2. 

Anew session key Ks' and a new authentication key SRES' subsequent authentication procedures illustrated in 

are calculated, and authentication is perfonned on the basis ^ ^e applicable in similar fashion when several users 

of the authentication key SRES'. When authorization is 50 I^^> IMUT, ... are simultaneously signed on to the same 

effectual, the terminal PA stores the two user identification terminal PA. 

parameters IMUI, IMUT and the session key Ks', and the Afrer signing on one or more users, the terminal can hence 

VLR stores the two user identification parameters IMUI, be authenticated autonomously, independently of the asso- 

IMUT, the terminal identification parameter IMTL and the ciated module(s) SIM (the module SIM does not come into . 

session key Ks'. The new session key Ks* is therefore shared 55 the chart of FIQ. 3). Hiis advantage is particularly important 

between the various users IMUI, IMUT signed on to the in radiocommunication networks requiring to authenticate 

terminal PA. It is also possible to retain the two session keys the terminals during location updatesi 

Ks and Ks' in memory, each user IMUI, IMUT then retaining It will be observed that the process described above by 

his own session key. The procedure below is applicable in way of cxan^e can be contrived so as to take account of the 

the same way to the signing-on of any number of users to the eo constraints specific to each type of network. For example, 

same terminal. there may be provision for the user and tenninal identifica- 

The subsequent authentication procedure applicable at the tion parameters IMUI, IMTI, which do not have the same 

behest of the network or during a terminal location update is degree of confidentiality as the secret keys Ku, D, not to be 

illustrated in FIG. 3. When the tominal PA has determined transmitted plainly over the radio interface between the base 

that it nmst change area of location, it transmits to the 65 stations and the mobile stations, this interface being acces- 

relevant VLR an authorization request which includes the sible to everyone. In particular, the identification parameters 

identification parameter of the signed-on user IMUI and the can be transmitted in a coded form dependent on the area of 
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location of the mobile station. A well-known exan^)le of 
such a mode of coding is applied in the case of the GSM in 
order to define the temporaiy mobile subscriber identities 
(TMSI) of the users (see GSM Recommendations No. 02.09, 
02.17, 03^0 and 03.21). 

There may furthermore be provision for the random 
numbers Rl involved in calculating the session keys to be 
generated by the HLRs and not by die VLRs. In particular, 
when the VLR transmits a sign-on request to the HLR 
together with the parameters IMUI and IMTI (FIG. 2), the 
HLR can generate several random numbers Rl^, . . . Rl„ and 
calculate the corresponding session keys Ks ^ , . . . Ks„. It then 
transmits several pairs (Rl,, Ks,) to the VLR which selects 
one of them in order to calculate the authentication key 
SRES. When the sign-on and authorization procedure is 
subsequently repeated, (at the behest of the network, or in 
the event of a call emanating from the mobile station), the 
VLR can use another pair (Rl,4^,) without having to turn 
to the HLR again. This arrangement, applied in con^arable 
manner in the current GSM system, advantageously reduces 
the number of exchanges between the VLR and the HLR. 

We claim: 

1. Process for controlling access to a telecommunications 
network by means of a terminal operating together with a 
user module, in which a session key is calculated, on the one 
hand by the user module and on the other hand by the 
network, on the basis of data which include a user identi- 
fication key held secretly in a memory of the user module 
and a first random number provided by the network, the 
network retrieving die user identification key on the basis of 
a user identification parameter issued by the terminal, 
wh^ein the terminal calculates an authentication key on the 
basis of data which include the session key calculated by the 
user module, a terminal identification key held seaetly hi a 
memory of die terminal and a second random number 
provided by the network, wherein the network calculates in 
the same way the audientication key on the basis of data 
which include the session key calculated by the network, the 
terminal identification key retrieved by the network on die 
basis of a terminal identification parameter issued by the 
terminal and the second random number, and wherein the 
terminal is audiorized to access the n^ork in the event of 
concordance between the authentication keys calculated by 
the terminal and by the network. 

2. Process acceding to claim 1, wherein die network 
including an access system and at least one user manage- 
ment unit, the calculations of session keys by the network 
are performed at user management unit level, whereas the 


1,806 

8 

calculations of authentication keys by the network are 
perfOTmed at access system level. 

3. Process according to claim 1, wherein the data on flie 
basis of which die session key is calculated further include 

5 the terminal identification parameter. 

4. I^occss according to daim 1, wherein the terminal 
stores the user identification parameter and the session key 
calculated by the user module, and wherein the network 
stores the user identification parameter and the terminal 

10 identification parameter whidi are received from the termi- 
nal as well as the session key calculated by the network. 

5. Process according to claim 1, v^erein, when a plurality 
of user modules have been presented in succession to the 
terminal, and when access to the network by die terminal has 

IS been authorized for each of said plurality of user modules, 
the taminal stores the user identification parameters relating 
to each of said plurality of modules and at least one session 
key calculated by one of said plurality of modules, and the 
network stores die user identification parameters relating to 

20 each of said plurality of modules, die terminal idendfication 
parameter and at least die session key calculated by the 
network in relation to said one of said plurality of modules. 

6. Process according to daim 4, further comprising a 
subsequent authentication procedure which indudes the 

2S following steps: 

the terminal sends the network its identification parameter 
and the user identification parameter or parameters 
which it stores; 

2Q die network sends the terminal a random number; 

die terminal calculates an authentication key on die basis 
of data which indude die session key which it has hdd 
in memory, its identification key and die random num- 
ber which it has just recdvcd firom die network; and the 

35 terminal sends said audientication key to the network; 
the network calculates in the same way the authentication 
key on the basis of data which include the session key 
which it has hdd in memory in connection with the 
identification parameters recdved from the terminal, 

40 the terminal identification key retrieved on die basis of 
die terminal identification parameter and the random 
number; and 

die n^ork compares the audientication key whidi it has 
received from die terminal widi that which it has 
^5 calculated in order to authorize the terminal to access 
the network hi the event of concordance. 

* * * Xt )ft 
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FIG. 12 

ESCROW CERTIFICATE (EXAMPLE) 


VERSION No. 


CERTIFICATE SERIAL No. 


ESCROW CENTER NAME 


ESCROW CENTER COUNTRY CODE 


KE+ec (FOR LEAF USE) 


USER NAME 


KE+user (FDR MESSAGES) 


KS+dev (TO VERIFY LEAF) 


VALIDITY PERIOD 


ESCROW CENTER SIGNATURE 


FIG. 13 

CLIPPER LEAF PACKET (CONJECTURED) 


/ 


\ 


CHECKSUM OF K^sg 


DEVICE SERIAL No. 


CHECKSUM OF LEAF 


\ 


/ 


dm 


^msg 

SYMMETRIC MESSAGE KEY 

kdev 

EMBEDDED SYMMETRIC DEVICE KEY 

kfom 

SYMMETRIC CLIPPER FAMILY KEY 
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FIG. 14 

DEVICE CERTIFICATE: <KS+dev>mfgr (EXAMPLE) 


VERSION No. 


MFGR NAME 


DEVICE SERIAL No. 


DEVICE TYPE/I^DDEL 


MFG DATE 


KS+dev 


ATTRIBUTE CODES ( DPTIDNAL) 


MFGR SIGNATURE 


FIG. 18 

MESSAGE CONTROL HEADER (EXAMPLE) 
(IN RSA - KEY - TRANSPORT FORMAT) 


VERSION No. 


(MESSAGE KEY) KE+recip 


SENDER ESCROW CENTER NAME (eel) 


SENDER ESCROW CENTER COUNTRY CODE 


RECIPIENT ESCROW CENTER NAME ( ec2 ) 


RECIPIENT ESCROW CENTER COUNTRY CODE 


(SENDER ESCROW CERT. No. ) KE+ecl 


(MESSAGE KEY) KE+sender (TO HIMSELF) 


( RECIP . ESCROW CERT . No . ) KE+ec2 


TIMESTAMP (OPTIONAL) 


SENDER DEVICE SIGNATURE 


181 


181 

•181 
■181 
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TAMPER-RESISTANT DEVICE 


CPU 


CRYPTO 
COPROCESSOR 



MEMORY : 


KS-dev 
<KS+dev>m-f9 
KS+swo 
FIRM NAME 
OTHER KEYS 
& CERTS 


DEVICE n 


:2\B 


-- (cLDa<_BATTERY 


■210 


TRUSTED TIME-SETTING 
ENT. (eg POST OFFICE) 

21 K TIME-SET 
) INSTRUCTION 


1" 


THE TIME IS 

NOW 

3:05PM JAN 3, 

1994 

SET YOURSELF 

AND 

PROCEED 


SIGNED, 


POST OFFICE 


TIME-SET AUTH. CERT 


'POST OFFICE" IS A 
TRUSTED TIME-SETTER 


SIGNED, SYSTEMWIOE 
AUTHORITY 


ANY DATA STRUCTURE 
CONTAINING A CDNTEMP- 
DRANEDUS TIMESTAMP 


212- 


VERIFIES 


(NOTE: TIMESTAMP WILL 

BE NULL IF CLOCK 
NOT CALIBRATED. ) 


213 


JAN 3, 1994 - 3;05PM 


214 


SIGNED, DEVICE 


215 


/ DEVICE MFGR'S CERT 


•DEVICE #• IS TRUSTED 
TO ISSUE TIMESTAMPS 


KS+d 


ev 


SIGNED, MFGR 


PIG 21 

SELF-CERTIFYING TRUSTED TIMESTAMP DEVICE 


12/09/2003, EAST Version: 1.4.1 


U.S. Patent Aug. 25, 1998 sheet 19 of 25 5,799,086 


'239 


231' 


VERSION No, 


DEVICE SERIAL ND . 


OWNER NAME 


OWNER UNIQUE ID 


KS+ OWNER 


PURCHASE DATE 


-mf gr 


232 ^ DEVICE SERIAL ND , 
233 J DWNER UNIQUE ID 
234- 


CC NAME 


235 


eol NAME 


eQ2 NAME 


eQ3 NAME 


235 — REKEY EXPIRE DATE 
237 J. INSTRUCTION SER. No 
SIGN 



230' 


TRUSTED 
DEVICE 


ec 


KE* CC 


-swo 


■^235 


T 


234 


NEW ESCROW 

REQUEST 

MESSAGES 


FIG. 23 

DWNER REKEY INSTRUCTIONS PROCESS 
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VERSION NUMBER 


RECIPIENT NAME 


254 


252 
256 
257 
256 
257 

253 


251 
255 
■257 


(MESSAGE KEY) KE+RECIP ( TD RECIPIENT) 


RECIPIENT ESCROW CENTER NAME (eel) 


(RECIPIENT CERTIFICATE No.) KE+ecl 


RECIPIENT EMPLOYER lo NAME ( emp I lo) 


(MESSAGE KEY, RECIP. CERTIF. No, ) KE^^empI lo 


RECIPIENT EMPLOYER lb NAME ( emp I lb) 


(MESSAGE KEY, RECIP. CERTIF. No. ) KE+ewpl lb 


SENDER NAME 


(MESSAGE KEY) KE+SENDER (TO HIMSELF) 


SENDER ESCROW CENTER NAME ( cc2 ) 


(SENDER CERTIFICATE No. ) KE+ec2 


SENDER EMPLOYER 2q NAME (emp I 2o ) 


(MESSAGE KEY, SENDER CERTIF. No.) KE+empI 2q 


SENDER MESSAGE SEQUENCE NUMBER 


HASH DF MESSAGE 


TIME DF CREATION 


SENDER DEVICE SIGNATURE --258 


FIG 25 

LAW ENFORCEMENT ACCESS FIELD (MULTIPLE RECIPIENTS) 
(IN RSA - KEY - TRANSPORT FORMAT) 
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ENHANCED CRYPTOGRAPHIC SYSTEM 
AND METHOD WITH KEY ESCROW 
FEATURE 

CROSS-REFERENCE TO RELATED 
APPUCATION 

This is a division of application Ser. No. 08/272»203» filed 
Jul. 8. 1994, abnd which is a continuation-in-part of appli- 
cation Ser. No. 08/181.&59, fUed Jan. 13. 1994, now aban- 
doned. 

BACKGROUND OF THE INVENTION 

This invention relates to cryptographic communications 
systems. More particularly, this invention relates to the 
secure generation, certification, storage and distribution of 
cryptographic keys used in cryptographic communications 
systems. Still more particularly, this invention relates to a 
system of cryptographic key escrow and public-key certifi- 
cate management enforced by a self-certifying chip device. 

The development and proliferation of sophisticated com- 
puter technology and distributed data processing systems 
has led to a rapid increase in the transfer of infonnation in 
digital form. This information is used in financial and 
banking matters, electronic mail, electronic data interchange 
and other data processing systems. Transmission of this 
infonnation over unsecured or unprotected conmuinicatioD 
channels risks exposing the transmitted information to elec- 
tronic eavesdropping or alteration. Cryptograj^c commu- 
nications systems preserve the privacy of these transmis- 
sions by preventing tite monitoring by unauthorized parties 
of messages transmitted over an insecure channel. Crypto- 
gr^hic communications systems also ensure the integrity of 
these transmissions by preventing the alteration by unau- 
thorized parties of information in messages transmitted over 
an insecure channel. The cryptographic communications 
systems can further ensure the integrity and authenticity of 
the transmission by providing for recognizable, unforgcablc 
and document-dependent digitized signatures that can pre- 
vent denial by the sender of his own message. 

Cryptographic systems involve the encoding or encrypt- 
ing of digital data transmissions, including digitized voice or 
video transmissions, to render them incomprehensiUe by all 
but the intended recipient A plaintext message consisting <^ 
digitized sounds, letters and/<H' numbers is encoded nimicri- 
caliy and then encrypted using a complex mathematical 
algorithm that transforms the encoded message based on a 
given set of numbers or digits, also known as a cipher key. 
The c^her key is a sequence of data bits that may cither be 
randomly chosen or have special mathematical properties, 
depending on the algorithm or oyptosystem used. Sophis- 
ticated crypcographic algorithms implemented oo conqxiters 
can transform and manipulate numbers that are hundreds or 
thousands of bits in length and can resist any known method 
of unauthorized decryption. There are two basic classes of 
cryptographic algorithms: symmetric key algorithms and 
asymmetric key algorithms. 

Symmetric key algorithms use an identical cipher key for 
both encrypting by the sender of the conununication and 
decrypting by the receiver of the communication. Symmet- 
ric key cryptosystems are built on the mutual trust of the two 
parties sharing the cipher key to use the cryptosystem to 
protect against distrusted third parties. The best known 
synunetric key algorithm is the National Data Encryption 
Standard (DES) algorithm first published by the National 
Institute of Standards and Technology. See Federal Registen 
Mar. 17, 1975, Vol. 40, No. 52 and Aug. 1. 1975, Vol. 40, No. 
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149. The senda cryptographic device uses the DES algo- 
rithm to encrypt the message when loaded with the cipher 
key (a DES cipher key is 56 bits long) for that session of 
communication (the session key). The recipient crypio- 
5 grq)hlc device uses an inverse of the DES algorithm to 
decrypt the encrypted message when loaded with the same 
cipher key as was used for encryption. However, the 
adequacy of symmetric key cryptosystems in general has 
been questioned because of the need for the sender and the 
10 recipient to exchange the cipher key over a secure channel 
to whidi no unauthorized third party has access, in advance 
of the desired communications between the sender and 
recipient This process of first securely exchanging cipher 
keys and only then encrypting the communication is often 
IS slow and cumbersome, and is thus unworkable in situations 
requiring spontaneous or unsolicited communications, or in 
situations requiring communications between parties unfa- 
miliar with each other. Moreover, interception of the cipher 
key by an unauthorized third party will enable that party to 
20 eavesdrop on both ends of the encrypted conversation. 
The second class of cryptographic algorithms, asymmet- 
ric key algorithms, uses different cipher keys fcH* encrypting 
and decrypting. In a cryptosystem using an asynometric key 
algorithm, the user makes the encryption key public and 
25 keeps the decryption key private, and it is not feasible to 
derive the private decryption key from the public encryption 
key. Thus, anyone who knows the puUic key of a particular 
user could encipher a message to that user, whereas only the 
user who is the owner of the private key corresponding to 
30 that public key could decq>her the message. This public/ 
private key system was first proposed in Diffie and Hellman, 
"New Directions in Cryptography." IEEE Transactions on 
Information The«y, Nov. 1976, and in U.S. Pat. No. 4.200, 
770 (Helhnan et al.), both of which are hereby incorporated 
35 by reference. 

An early type of asymmetric key algorithm allows secure 
communication over an insecure channel by interactive 
creation by the communicating parties of a cipher key for 
that session of conununication. Using the asymmetric key 
40 algoridmi* two interacting users simultaneously and inde- 
pendently generate a secure cipher key that cannot be 
deduced by an eavesdropper and that is to be used sym- 
metrically to encode that session of conomunications 
between tiie users. This interactive method of generating a 
45 secure cipher key was described by DifSe and Hellman in 
their 1976 paper. Under this prior ait method, known as the 
Interactive Diffie-HeUman scheme, shown in FIG. 2, eadi of 
the two users A3 randomly chooses a secret number 21«22 
and then confutes an intermediate number 23,24 using two 
50 publidy-known numbers and the secret number 21 J2 cho- 
sen by that user. Each user next transmits the intermediate 
number 23.24 to the other user and then coxiq)Utes the secret 
(symmetric) dphcr key 25 using his own secret number 
21,22 and the intermediate number 24.23 just received from 
55 the odier user. The interactively generated cipher key 25 is 
then used synunetrically by both users as a DES or other 
symmetric cipher key to encrypt and decrypt that session of 
communications over an otherwise insecure channel in the 
manner of symmetric key algorithm comnounications. This 
60 interactive process requires only a few seconds of real time, 
and all digital communications, including digitized sound or 
video transmissions, in a particular session can be encrypted 
merely by pushing a button at the outset of a session to 
initiate the interactive key exchange jffocess. Because all the 
65 numbers chosen in the Interactive Diffie-HeUman key gen- 
eration scheme are very large. Ae confutations are infea- 
sible to invert and the secret ci(*er key cannot be computed 
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by an eavesdropper, thus preserving the privacy of the hereby kcorporated by reference, and involves the difficulty 
communication. Because the computations arc infeasiblc to of factoring a number that is the product of two large prime 
myert. each user knows that any communication received numbers. As with the Interacdve Diffie-HcUman scheme the 
using this algorithm was not altered and could have been RSA algorithm is relaUvely straightfonvard to compute but 
sent only by the other user, thus preserving the integrity and 5 practically infeasiblc to invert. Thus, it is not feTsible to 
authenUcity of the communication. This interactive key derive the private key from the public key and, in this way 
exchange method, however, requires the parties to interact in the jyivacy of the communication is preserved. Once a 
real time in order to create the cipher key and may not be message is enciypted with the pubUc key using the RSA 
useful for unsolicited communications or unfamiliar parties. algorithm, only the private key can decrypt it. and vice 
In particular, the IntcracUve Diffie-HcUman key exchange ,0 versa. As with the Certified Diffic-Hellman scheme the RSA 
scheme docs not work for store-and-forward electronic-mail algorithm requires a trusted entity to certify and publicize 
style messaging or for long-term storage of documents in an the users* public keys. In contrast to both Diffie-Hellman 
electronic data storage system, because the recipient is not schemes, however, the RSA algorithm docs not itself gen- 
on-line to negotiate the session key. crate a "session key" to be used symmelricaUy by the 
A modified, non-interactive form of the Diffie-Hellman 13 parties. Instead, the public encryption key for a particular 
scheme, known as Certified Diffie-Hellman, can be used user directly encrypts communications to that user and that 
when the communicating parties arc not on-line together. user's private decryption key decrypts those communica- 
The initiaL certification step of the Certified Diffie-HcHman tions encrypted with the user's public key. In this way, the 
session key gcnaation scheme is shown in FIG. 3. One user. RSA algorithm is a pure asymmetric key algorithm, 
the recipient-to-be, randomly chooses a secret number 31 20 However, because the RSA algorithm is complex and 
(his private key) and then con^tes an intermediate number invoWes exponentiation of the message by very large 

33 using two publicly-known numbers 32 and the seact numbers, encrypting or decrypting a message <rf even mod- 
number 31 chosen by that user. That user then sends fffoof crate lengtti using the RSA algcrithm requires a great deal of 
of identification along with the intomediate number and the time. Thus, it is much sin^ler, fasto" and efficient to use the 
two public numbas, which numbers together form his 25 RSA asymmetric algoridun to transput a DBS apha key 
public key 34. to a certifying authority that tiien issues a for use in a symmetric algoriAm. This prior art mode of 
pubUc key certificate 35 digitaUy signed 36 by the issuing operation is known as RSA key transport and is shown in 
certifying authority binding the user's identity to the user's HGS. 5 and 6. For example, referring to FIG. 5, a user could 
Diffie-Hellman public key information 34. The public key generate a random DBS key 51 and encrypt a message 52 

34 publicized by tiiat user remains the same until he decides 30 with that DBS key. The user would then encrypt ttie DBS key 
torekey and choose another private key 31. Messaging using 51 with an intended receiving user's pubUc RSA encryption 
the Certified Diffie-Hellman method is shown in FIG. 4. In key S3 and transmit the DES-cncryptcd message 54 along 
order to transmit a message to that user, a sending user first with the RSA-cncrypted DBS key 55 to the receiving user 
obtains ttie receiving user's certificate 35 and verifies the After receiving the transmission, as shown in HG. 6. the 
certifying authority's signature 36. The sender next com- 35 recipient decrypts the DBS key 51 using his private RSA 
putes the session key 42 fa- that co mm unica t ion session decryption key 56 and uses that DBS key 51 to decrypt the 
using the rediacnt's intermediate number 33 {from the message SI. Because the DBS algorithm requires much less 
recipient's certificate) and the sender's own secret numba time and expense to conq)ute than does the RSA algorithm, 
41 (his private key), which he chooses at random. The the synunetric DBS key is used to encrypt and decrypt the 
sender then encrypts a message 43 using the session key 42 40 actual message, while the asymmetric RSA keys are used to 
and places his own intermediate number 40 unencrypted at encrypt and decrypt the symmetric DBS key. 

the head of the communicaUon. Upon receiving the The RSA pubUc^vatc key cryptosystcm also provides 

communication, the rcc^icnt con^tes die session key 42 for a digital "signature" that is both message d«)endent and 

usmg the sender s unencrypted intermediate number 40 and signtx dependent, and can be used to certify that the received 

his own secret number 31 (CH- private key), and then uses the 45 message was actually sent by the sender and that it was 

session key 42 to decrypt the message 43. As with the received unaltered. RSA digital signature is based on Ac 

Interactive Diffie-HeUraan scheme, the session key gener- additional property of RSA that in addition to aUowing the 

ated m the Certified Diffie-Hellman scheme is then used by user's private key to decrypt only those communications 

both parties to encrypt and decrypt communications duriing encrypted using feat user's public key, permits a user's 

that session over an otherwise insecure diannel using a 50 private key to encrypt messages that can be decryirted only 

'^TlS'i*^^^'^^ algoritfmi, such as DBS. The Cer- by that user's public key. Because only the uscThas the 

tified Diffie-HeUman scheme, however, requires that a privatekcy.uscof the private key to encrypt aUows for proof 

trusted entity or a certifying authority sign fee receiving of origin that can be verified by anyone with access to the 

user s pubhc key certificate so that a sending user can tnist user's public key. In practice, the sender fii^t uses his private 

&at the informauon contained widiin is conect In addiUon, 33 key to encode the message text into a signed message, which 

die pnvate key randomly chosen by the sender, with which can be decrypted by anyone but could have come only from 

he computes both the session key and the intermediate the sender. If desired, the sender may then optionaUy use the 

numbCT for that communication, must not be identical to die redfrient's public encryption key to encipher the signed 

pnv^e key that IS connected to the sender's own pubUc key message to be transmitted. Upon rccemt of the dphcrtext 

certificate; m order to avoid others learning his permanent eo the recipient decrypts the cqAcrtcxt with his private decryp- 

^v^ key numbers (corresponding to the public key num- tion key, if necessary, and decodes the signed message with 

bcrs that have been certified), the sender should keep tficm the sender's public encryption key. Because only the sender 

distinct from any ephemeral private keys or intermediate knows his unique private key, only the sender could have 

numbers that arc generated only for q>ecific messages. sent the particular "signed" message; die signaUire thus 

Another asymmetric key alg<»itfmL named the RSA algo- 65 verifies the identity of the scndtx. Also, because the redpient 

rithm after the inventors Rivest, Shamir and Adleman. is has only the sender's pubUc key. die sender cannot claim 

described in U.S. Pat. No, 4.405.829 (Rivest et al.). which is that the redpient or an unauthorized third party altered or 
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fabricated his message; the signature thus prevents repudia- between multiple hierarchies, and (3) a "local trust'* model, 
tion of the message by the sender. Furthermore, because These models are described in detail in the standards docu- 
only the sender's private key transforms the original mes- mcnt American National Standard X9.30, "Public Key Cryp- 
sage and only the sender knows his unique private key, tography Using Irreversible Algorithms for the Financial 
neither the recipient nor an unaufliorized third party could 5 Services Industry: Part 3: Certificate Management for DSA'* 
have altered the message; the signature thus certifies the (American Bankers Assn.. Washington.. D.C.. 1992), which 
integrity of the message. is hereby incorporated by reference in its entirety. Although 
The RSA algoritfun also provides for another type of there is not yet a general consensus as to which of the 
digital signature that uses a hashing function to create a short above-mentioned trust models is best, it is assumed through- 
message digest that is unique to each document. RGS. 7 and 10 disclosure that an apjxopriale. generally accepted 
8 show RSA signature creation and RSA signature certification trust naodel will be estabUshed and adhered to 
verification, respectively, using a hashing function. A hash- whenever certificates issued by more than one entity are 
ing function is another complex mathematical algorithm that involved. 

is "one-way." i.e. so that it is infeasible to reconstruct the The public/private key system described above takes into 

document from the hash result, and is "collision-free "i.e. so 15 account fte privacy interests of the users who wish to 

that it is infeasible to produce another document that will transmit and receive cormnunications privately. In addition, 

hash to the same digest As shown in FIG. 7, the sender first however, there are also die law enforcement and national 

passes the message 72 through a hashing algOTithm 73 to security interests of governments to be considered. The 

produce the message digest 74 and then encrypts tfie digest ability of the government to monitor <r eavesdrop on 

with his RSA private key 75, forming a con^ct digital 20 otherwise private electronic transmissions fOT law enforce- 

signature 76 tfiat is attached to the message 72. After mcnt and national security purposes must be preserved so 

receiving the transmission of the message 72 and the mes- that suspected aiminals, tem>rists and foreign spies are not 

sage digest 76, as shown in FIG. 8. the recipient decrypts the permitted to conspire beyond the reach of the law. Whereas 

scnder*s RSA encrypted message digest 76 (the digital telephone communications can be monitored through 

signature) using the sender's RSA public key 77. The 25 wiretapping, cryptogr^c algwithms niake the enciphered 

recipient also uses the same hashing algorithm 73 to produce data unable to be deciphered even by powerful code- 

a message digest 74 from the received message. The two breaking computers. The inaease in die volume and per- 

messagc digests resulting from the two Iransfoiinations ccotage of digital and digitized transmissions encrypted with 

performed by the recipient diould be identical, thus verify- advanced algorithms wilL therefore, serve to frustrate and 

ing that the message was signed by the sender. 30 thwart the lawful government electronic surveillance of 

Another system of digital signature, caUed DSA for these communications, espcciaUy if cryptographic devices 

Digital Signature Algorithm, may also be used for sender are widely implemented in telcj^ones, conqwtcrs, facsinule 

verification. The DSA Algorithm was disclosed in U.S. maxduncs and aU other data processing equipment 

patent appUcation Ser. No. 07/738.431, which is hereby One way to enable the government or other authorized 

incorporated by reference in its entirety. The DSA Algoritiim 35 investigators to monitor communications of suspected 

has properties that an similar to those of the RSA signature criminals is to require all users of cryptographic comrauni- 

algorithm in that the sender passes the message through a cations to escrow their private decryption keys with either a 

hashing algorithm to produce a naessage digest and then private authority or the government, i.e. allow cither the 

encrypts or signs the message digest using his private key; private authority or the government to be the trusted custo- 

the recipient verifies the encrypted digest using die sendcr*s 40 dian of the users* private decryption keys. When necessary 

public key. However, unlike the RSA signature algorithm for surveillance, the government then will have access to or 

that returns the original message digest when the rccq)ient will be able to gain access to the private keys in order to 

decrypts the signature block, die DSA verification algoridim monitor all encrypted communications. This method, 

results only in a positive confirmation of the validity of the however, is unworkable because it contains insufficient 

signature; communications encrypted using an intended 45 safeguards against abuse by the government of the private 

recipient's public key cannot later be recovered by dcayp- decryption keys and against possible leaking of the private 

tion with die recipient's corresponding private key. For this decryption keys to unauthorized third parties eidicr by tiieft 

reason, the DSA algoridmi may be used quite capably for from the government or the private autiiority or by coirup- 

digital signatures, but not for key transport or for direct tion of government or private authority personnel, 

message encryption. 50 Another mediod of escrowing private decryption keys to 

In order for the public/private key system to operate preserve both user privacy interests and law enforcement 

effidcnUy, users must trust a centralized key certifying security interests is by using a system such as the method 

autiiority to be responsible for publicizing and updating a described in "Fair Public Key Cryptosystems," proposed by 

directory of public encryption keys. The key certifying Silvio Micali at CRYPTO 92. in March 1993 and published 

authority must be trusted by all users, botfi senders and 55 by the Laboratory for Computer Science of the Massachu- 

redpients. to distribute the correct public keys for all users setts Institute of Technology on Oct 13, 1993, and in U.S. 

so that no messages are transmitted to unintended recipients. PaL No. 5,276,737, both of whidi arc hereby incorporated 

To this end. as discussed above and elabOTated below, the by reference. By this method, shown in FIGS. 9-11. a user 

certifying authority would distribute each user's name and who wishes to certify his public key for encryption purposes 

public encryption key information, and would afiBx its own 60 must escrow his private key in the following mamicr. As 

digital signature to the distributed information in wder to shown in FIG. 9, the user first breaks his private key 91 into 

certify the correctness of the information. However, when several '*picces" 92, each of which can be individually 

mere than one entity, or a hierarchy of entities, is involved verified 90 to t^e a valid part of the complete private key 91. 

in the certification process, there are several different mcth- The private key can be reconstructed only with knowledge 

odologies or **trust models" for determining how a user will 65 of all the pieces or some specified number of them. The user 

is-ocess the certificates. The tfu-ee main models are (1) a pure tiien sends 93 each piece to a different escrow agent or 

hierarchical model, (2) a model using cross-certification agency 94, who, as shown in FIG. 10. verifies 95 the piece 
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as a ooirect part of the private key 91 using a special WhenuscrsofCiif^rchipdcvices wish to communicate, 
algonthm and communicates this verification S>6 to a master they first agree on a symmetric session key with which to 
escrow center. Refeiring to FIG. U. after receiving verifi- encrypt the communications. Any method of deriving the 
caUon 96 Jr7 that each piece of the private key is correct, the symmetric session key. such as IntcracUve DifBe-Hcllman 
master escrow center can then issue a certificate 98 for the 5 key derivation process, and any method of tiansporting the 
user*s public key 99, aUowing it to be used in a privacy DES session key between users, such as RSA transport, may 
system with the assurance that, if need be and pursuant only be used. At the start of each communication, each user sends 
^I'^fZT enforcement agencies wiU be to the other a Law Enforcement Access Reid (LEAF) that 
able to obtam the secret pieces of the pnvate key from the contains enough informaUon to allow law enforcement 
user's chosen escrow agents, recombine them and monitor a«^„tc ^w.lT^: -7 .^"^^ cmorccmcni 
the communications of Aat user. By this system, users ca^ SJ f™'S.^ "^'r ?! .^T""'""''^^;.^ 
be assured of the privacy of their cnaypt<^ transmissions. ^^^^ 5™ Oipper LEAF is shown m HG. 13 
and government cSn be assured of its^ty to gain accesi *f P"«^ details of the LEAF fomiat. 
to encrypted transmissions upon a showing of need. Because T^^^ verification arc currently classified "secret" by 
DO one entity normally ever has access to the complete Sovemrncnt, this discussion and FIG. 13 arc both 
private key and because the uso- chooses entities that he somewhat speculative). To form the LEAF, the session key 
trusts, the chances of unlawful or comipt actions are greatly enoyptcd using the private device key; then the 
reduced. Also, because a wider range of entities would be device-key-encrypted session key. the sender device's serial 
eligible as escrow agents, the dianccs of simultaneously number and a checksum (a verifying value) of the original 
compromising all the escrow agents, and thereby disrupting unencrypted session key are together encrypted with the 
all trusted commerce, is even further reduced, 20 Clipper family key to complete the LEAF. The message is 
The master escrow center, as a trusted authority certifying ^en encrypted using the chosen session key. The session- 
die authenticity of die user's public key, periodically issues key-encr3T[ited message and the family-key-encrypted LEAF 
a publicly-available certificate attesting or notarizing the arc together transmitted to the recipient. Upon receiving the 
connection between the public encryption key and its own- communication, the receiving user first loads the received 
er*s identifying information. The certificate of authenticity 25 LEAF into his Clipper ch^ in order to check whether die 
assures the sender tfiat transmissions to that named public LEAF is vaHd and whether die session key encrypted within 
key usCT wiU in fact be received aiKt read only by the the LEAF matches the session key previously received If 
intended recipient ITie certificate is usually in an interna- the LEAF is vaUd, ttie dipper chm wiU decrypt the message 

fi^dt^???S^pi^^^ Z"^ ^* ^^^-^ P^^o"5ly ^ived 

fied m ecu 1 Recommendation X.509 and issued as an ^„ a *.«fA^^«* • • 

international standard by the International Standards Oiga- ^ , ^ law enforcement i^ent kwfuUy wiretappmg or moni- 

nization (ISO). An example of a public encryption liy ^ commumcation however, does not know the 

escrow c«tific4tc forrnatTshown in FIG. U. m^^te "^"^ "^'^ "^"^ ^° ^'^^ ^ 

contains, among other things, the name of the organization *® session key. The agent intercqns die desired 

or key management center diat created the certificate (the LEAF, decrypts it using die Oipptr family key and then 

issuer) 121, the owner's public key 122, the owner's iden- Fcscnts the chip serial number firom the LEAF and a 

tifying inf OTination 126, a certificate serial number 123, and court-ordered warrant <x odier legal autfiaization to die two 

validity starting and ending dates 124. The issuer's digital government escrow agents, receiving in return the two key 

signature 125 "seals** the certificate and prevents its alter- splits of die wire-tapped user's private device key. The agent 

ation. combines the two esaowed device key ccooponents and uses 

The U.S. government however, has proposed as a gov- ^ resulting device key to decrypt the device-key-enorypted 

emment (and possible industry) standard another metfiod to session key from the LEAF. The session key can then be 

enable it to escrow private decryption keys and to monitor used to decrypt the actual messages from the communica- 

communications. The U.S. government has developed a tions. The requirement that the sender and recipient each 

miaodrcuit, called the "Clipper chip,** that can be built into create a LEAF and validate die other's LEAF insures dial 

government and commercially-produced telephones and 43 law enforcement agents will have a reasonable chance at 

oon^ler devices. The Cl^^ diip is a low-cost chip diat intercepting the LEAF, since each LEAF is expected to pass 

may be used for bulk encryption and key management; die between die users over the same communications medium. 

Capstone chip is a more advanced version of die Clipper Further, it allows law enforcement to selectively monitw 

chip diat adds digital signature and message digest capa- only one suspected usa by decrypting die LEAF generated 

WUties. Like odier encryption systems, the Clipper ch^ uses 50 by diat user, regardless of which user originated die com- 

a symmetric encryption algorithm, albeit a classified algo- munication. 

ridun called Skipjack. Uiat scrambles telephone and digital Unfortunately, tficre are many tedmical problems with die 

computer data communications in a manner similar to DES, government' s Clgipcr chip prqwsal mosUy stemming from 

but using an 80-bit key. Each Clipper chip has a unique serial die fact diat the private keys to be escrowed are prananently 

number, a Oipper family key common to all Clipper chips 55 embedded in the Clippex diq)s during manufacture. Because 

and its own symmetric i»ivate device key diat will be needed ttie private encryption key for a particular device is burned 

by auttiorized government agencies in order to decode into die chip and cannot be dianged. the chip and probably 

messages encoded by a device containing die chq). When die die entire device diat contains it must be discarded if 

device containing die chip -is manufactured, the unique compromised. It is preferable for die user of a particular 

private dcWcc key will be split into two components (called 60 device to be able to rekey, reescrow and recertify die device 

*1ccy splits") and deposited separately widi two key escrow at will if compromise is suspected or at regular intervals to 

data bases or agencies Uiat will be established widiin die avoid potential conq)romise. In addition to die inability of 

governnient Law enforcement agents can gain access to dieuscrtorckeyandreescrow. die user of die dipper device 

diese private device keys by otrtaining a warrant or odier has no choice of die number or the identities of die key 

legal audiOTization to wiretap or monitor Uie communica- 65 esaow agents employed by the government to safeguard his 

tions and by presenting die warrant to die two escrow private key. Instead, die private key splits are deposited in 

two escrow daU bases or agencies established by the gov- 
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cxnment. Users may not trust the Clif^er chip devices due to competitive market for communications and computer hard- 

thc risk that the government may have complete access to ware. A government agency or a goveroment-authorizcd 

any transmission or transaction through the device, access manufacturer may be unable or unwilling to design and 

that could be abused or corrupted. Users may also desire that market advanced devices and products specially tailored for 

their keys be escrowed with more trustees than the govern- 5 particular companies as would a private manufacturer. If the 

ment provides, in order that their private keys will be more government authorizes only certain vendors to manufacture 

secure. If the concept of key escrow is to have significance, ^j^^ having the classified algorithm, competition will 

each user must be able to choose his own trustees with ^ reduced and the technology wiU be prevented from being 

whom to escrow his p-ivate keys, based upon the level of incorporated into other products. Additionally, because the 

tru St desired. 10 details of the Skipjack algorithm have not been made public. 

Also, it is believed that the government Clipper system suspicion has arisen as to whether the algorithm could be 

allows users to comrminicate only syrmnetrically and in real insecure, due either to an oversight by its designers or to the 

time, and does not provide any direct support for store-and- deliberate introduction by the government of a trap door. An 

forward electronic-mail type messaging, ftior to encrypting important value of cryptosystem design is that the i^ivacy 

communications, the sender and recipient must first agree on ^5 and security of die encrypted messages should depend on the 

a synmietric session key with which to encrypt the commu- secrecy of the relevant key values, not on die secrecy of the 

nications. Typically, this key exchange is done using the system's details. 

IntcracUve Diffie-Hellman scheme, the only key exchange ^ therefcie, desirable to provide a commercial key 

method believed to be supported by the CUpper chip. Thus, esaow system that uses published algorithms, operates in a 

unless tiiey wish to arrange their own key management 20 manner that inspires the users* trust and confidence, and 

system, users are restricted to simultaneous, interactive ^^^^^ problems posed by naUonal security and law 

communications, such as real-time voice or facsimile com- enforcement demands. 

munications. In order to use store-and-forward electronic- ^ ^^^^ ^ ^ commercial key escrow 

mail type messagmg, howev^-, a user ^V^^f^J^^^^^^^ system that uses private keys that may be changed by die 

the mtended recipient's pubbc key. such as by usmg a 25 wiU or at regular intervals. 

Certified Diffie-Hellman or a certified RSA key transport ^^^^^ " J'^f™ 

scheme, even if the intended rrapient is not available for an farther desirable to provide a comnaercial key escrow 

interactive on-line communication. Because it is beUeved system that aUows the user to choose the key escrow agents 

that die government's CUpper system does not facilitate this, to safeguard his jsivate key the separate pieces of his 

stQre-and-fc»^ard messaging is difficult. The government's 30 private key. 

proposed standard system thus may tend to limit the com- It is still furtiicr desirable to provide a commercial key 

munications capabilities of users to on-line interaction. escrow system that contains safeguards against unrestricted 

Moreover, under the government system, the users* government access, yet aUows access by the employers of 

employers have no access to the encrypted data or trans- the users or by the countries <rf which the foreign users are 

missions of their en^iloyees. Employers, on ^osc behalf 35 citizens. 

the en^)loyees are developing, communicating or transmit- It is also desiraUe to provide a commercial key escrow 

ting confidential or proprietary data, must retain the right to system that <^ers an alternative to the U.S. Government's 

gain access to their eiiq)loyees' data or transmissions. Many proposed Clipper dhip system, 
simations could arise wherein encrypted information would 

be available only to the specific en^loyees directly engaged 40 SUMMARY OF THE INVENTION 

in using the cryptographic systems and not to the manage- I5 ^^^^ object of this invention to jwovide a commercial 

ment or boards of directors who arc reqwnsible f<x those escrow system that uses published algorithms, operates 

employees and who own the corporate data resources. By manner that inspires the users' trust and confidence, and 

encrypting data or communications, employees could solves the problems posed by national security and law 

dcvel<^ OT appropriate for themselves new programs, fffod- 45 enfOTCcmcnt demands. 

ucts and technologies cr could conduct illegal activities and ^ . ^ ^^^^ ^ invention to provide a corn- 
transactions, all without their en^loyas' knowledge. Also, ^ ^^^^ p^^^^ j^^ys ^^at may 
movement or reorganization of staff and changes of storage ^ changed by the usa: at wiU or at regular intervals, 
facilities could result in the loss of massive amounts of * ^ 
mformauon that ^as impoit|m^ al toe mneof 50 ^^^^^ ^ user to 
enaypaon to be encrypted. See Donn B Parto Oypto ^^oosethekey escrow agente to safeguard his private key or 
and Avoidance of Business Information Anarchy" (Invited * -I™ Jf. «««ot- t-t 
speaker presentation at First Annual AC Conference on P^^^^ his private key. 
Cor^teVand Communication Security, Nov. 3-5, 1993, It is stiU a further object of this invention provide a 
Reston. Va.), which is hereby incopocated by reference. 55 «>rmnercial key escrow system that contains safeguards 
Aside from die originator of the data or the sender of die against unrestricted government access, yet aUows access by 
transmissions, the Clipper chip aUows only the government the employers of die users or by the countnes of which die 
to have access to the transmissions. Aldiough employers foreign users are citaens. 

could seek a court-issued warrant in wder to monitor their K is yet anodicr object of this invention to provide a 

employees' communications, en^loyers may wish to moni- 60 commercial key esaow system diat offers an alternative to 
tor their internal oflficers in a mcwe discreet fashion than by the U.S. Government's proposed Clipper chip system, 

initiating a federal investigation any time suspicion is a These and other objects of the invention are accomplished 

roused. in accordance with the pcinc^les of the invention by pro- 
Furthermore, mandating a classified alg<^thm diat is viding a cryptogr^hic key escrow system that uses a 
embedded in Uie chip and thus available only in hardware 63 mediod. such as die Micali ^Tair" escrow mcdiod, for 
and only from government-authorized chip manufacturers verifiably splitting users' private encryption keys into com- 
injects the government into the rtqpidly changing and highly ponents and for sending those components to trusted agents 
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choscD by the particular users, and by providing a system FIGS. $►-11 are flowcharts that together show the steps of 

that uses inodcrn public key certificate management, the prior art Micali Iccy escrow process; 

enforced by a chip device that also self-certifies. In a nO. 12 is an example of the format for a prior art pubUc 

preferred embodiment of this invention, the new chip encryption key esaow certificate; 

encrypts or decrypts only if certain conditions are met 5 d/- ii * — i ^ ^ 

namely, (1) if a vaUd "sender certificate" and a valid p^^h Tf"" 'h*: beUev^ forinat of the 

^Yecipieot certificate" are input, where >alid" means that Enforcement Access Field (LEAF); 

the particular user's private decryption key is provably FIG. 14 is an exaII^)le of the format for a device certificate 

escrowed with a specified number of escrow agents and ttiat f ssued by the manufacturas of the device of the present 

the master escrow center is registered and certified by the lO "^v^n^^'*^ 

chip manufacturer, and (2) if a valid Message Control FIG. 15 is a flowchart showing the steps of a metfaod of 

Header is generated by tfie sender and validated by the verifiably escrowing a key with only one escrow agent; 

recipient, thereby giving authaized investigators sufficient FIG. 16 is a flowchart showing the steps of a method of 

information with which to request and obtain the escrowed verifiably escrowing a key. based cm the tnjsted device 

keys. Because diis invention relies upon a system of certifi- 15 alone; 

catc management, it can be made very flexible and inde- FIG. 17 is a flowchart showing the steps of a method of 

pendent of location and time, unlike purely on-line systems. sending an encrypted message with a Message Control 

The methods for escrowing a private decryption key and Header (MCH)- 

receiving an escrow certificate are also appUcd herein to a ^ ^^^^^ ^ ^CH in RSA key transport 

more generalized case of registering a trusted device with a 20 formar "au^jA^n 

trusted third party and receiving aufliorization from that ^nr ta « u - ^ . * ^ ^ x 

party enabling the device to a)miunicate with otha trusted ^!^: ^ Ae stqps of a method of 

^yices receivmg an encrypted message with a MCH; 

Aftirtherpn^fexredembodimentofthisinventionprovides flowSaf f^Tn^Sow- ' "^^^ "^"^ ' 

a method for generating verifiably trusted communications 25 ^Zl!^. 7' 

among a plurality of users, comprising the steps of escrow- ^ ^ example of a self-certifying trusted times- 

ing at a trusted escrow center a plurality of asymmetric device; 

cryptographic keys to be used by a plurality of users; ^ is an example of the fcHinat for a device owner 

verifying each of said plurality of keys at the escrow center, certificate issued by the manufacturer of the device of the 

certifying the authorization of each of said plurality of keys ^ Present invention; 

upon verification; and initiating a comnuinication from each FIG. 23 Is a flowchart showing the stq>s of a method of 

of said plurality of users using a respective one of said re-escrowing a key (rekeying) by the owner of the device of 

plurality of keys contingent upon said certification. FUrther present invention; and 

embodiments of this invention provide for decoding of FIG. 24 is a flowchart showing the steps of a method for 

conmiunications by authorized law enforcement agents, registration the trusted device of the present invention 

based upon use of the Message Control Header included with a trusted third party. 

with each communication, using a special law enf orccnacnt FIG. 25 is an exan^le of a foimat for a Law Enforcement 

decoder box and auditing of the law enforcement wirct^s to Access Field for multiple recipients 

prevent abuse by law «iforoement and other officials. FUr- FIG. 26 is a flowchart showing the steps of a method for 

ther preferred embodiments provide for rekeymg and 40 embedding of an owner pubUc key upon initial sale, 

upgrading of device firmware using a certificate system, and cti- ^ , fl^«.oK«*^i^ • * ^^4^ 

encryption of sticam^oriented data FIG. 27 is a flowctot showing the steps of a method for 

a rekeymg paocess controlled by an owner. 

BRIEF DESCRffnON OF THE DRAWINGS 28 is a flowchart showing the steps of a method for 

45 transfer of ownership. 

The above and other objects and advantag^ of the p^js. 29 and 30 are flowcharts showing the steps of a 

inventioD wiU be apparent upon consideration of the fol- ^^thod for enfort:ement of the escrow ilquiremems by 

lowmg detailed desmpbon, taken in conjuncuon with the either sender or recipient 
accompanying drawings, in which the reference characters 

refer to like parts throughout and in whicii: ^ DETAILED DESCRIPTION OF THE 

FIGS. lA-lG are lists of symbols and abbreviations that INVENTION 

are used in the figures of this invention; public key cryptosystems, including the use of digital 

FIG. 2 is a flowchart showing the steps of the i^or art signatures, can potentially be the cornerstone of the creation 

Interactive Diffie-Hellman key derivation method; of national, <x even global, papcriess electronic document 

FIG. 3 is a flowchart showing the stq>s of the certification 55 systems. Use of these systems will have enormous commer- 

portion of the prior art Certified Diffie-Hellman me&od; ^ significance in terms of costs savings. The critical 

na 4 is a flowchart showing the steps of the messaging element in the development and widespread acceptance of 

portion of the prior art Certified Diffic-Hdlman method; ^^^^ systems is the reliance placed upon the underlying 

FIG. 5 is a flowchart showing the steps of encryption ^ ^^^^^tems and the di^^ signamres by governments 

using the prior art RSA key transport method; ^ banks, corporations and other users mcluding mdividual 

™ ^ . L • ^ . f ^ users. Reliance on these systems should anse not from trust 

. ^^ptf V ^""1^' 'TJ^ byeachuserofitsownin4malsystemarofotherusers,but 

usmg the pnor art RSA key transport method; ratherfromtnistby each user of the pubUc key cryptosystem 

FIG. 7 is a flowchart showmg the steps of signature and of the certification mechanisms it provides. The com- 

aeation using the pnor art RSA method; ^3 mcrcial cryptosystem of the present invention satisfies these 

FIG. 8 is a flowchart showing die steps of signature concerns by using self-certifying and, therefore, trusted, 

verification using the prior art RSA method; encryption devices as the impartial arbiters of trust. 


12/09/2003, EAST Version: 1.4.1 


5.799.086 

13 14 

In a preferred embodiment of the present invention, the underlies the coatings. In addition, there arc other features 
tait^r-resistant chip, or a tani5)er-resistant trusted device that can cause the memory to be erased if any alteration to 
containing the chip, that performs the encryption, decryption the physical enclosure of any of the memory areas is 
and digital signature is embedded with a non-modifiable attempted or if suspicious actions tiiat may signal tampering 
public/private signature key pair unique to that chip and with 5 attempts, such as cooling the device to abnormally low 
a "manufacturer's certificate." The embedded manufactur- temperatures in an attcn^t to deactivate and defeat the 
cr*s certificate enables the device containing the chip (a) to device's internal defease mechanisms, occur. Some of these 
digitally "sign** documents and cormnunications ("data protective features noay require a constant source of battery 
structures") using its own jyivate device signature key power, such that the device can take electrical actions to 
proving that they uniquely originated from that device and 10 delete important data if tampering is suspected. The present 
(b) to prove by appending the manufacturer's certificate to invention does not specify any particular prcfcired method 
documents and conuminications that those data structures of making the devices tamper-resistant, but rather relies on 
can be trusted because die originating device is one of existing or future technologies that may be or may become 
known and trusted type and is made by that trusted manu- generally regarded as providing an acceptable degree of 
facturer. The manufacturer's certificate in effect says. *The 13 protection from unauthorized disclosure or modification of 
device whose private key matches the public key certified the data contained in the devices. A device with such 
herein is of type XXX. Signed. Manufacturer." Because the characteristics is sometimes referred to as a tamper-resistant 
private signature key is embedded in a tamper-resistant secure module (TRSM). of which a current exani^le is the 
manner and because the manufacturer is trusted, documents Clipper/Capstone device, discussed earlier, commercially 
and communications issued by the device and signed using 20 available from Mykotronx. Inc. 

the private signature key will also be trusted. The manufacturer of the diips may be any of the many 

A prefeiTed embodiment of the present invention contains majOT cortq)uter microprocessor chip manufacturers. The 
seven major phases of use: ( 1) creation or manufacture of the manufacturer should preferably be one who is known to the 
chips contained in the device. (2) registration of the device's cryptographic industry and is trusted with respect to chip 
encryption key with escrow agents, (3) normal encryption 25 quality and security and the integrity of its manufacturing 
and decryption of user messages, (4) decoding of commu- process. 

nications by authorized law enforcement agents, (5) rekcy- The chips nunufactured in order to be used in an embodi- 
ing and upgrading of tiie device by the owner or employer, mcnt of this invention would include the following capa- 
(6) auditing of law enforcement wiretaps, (7) encryption of bilities. The chip would first include an embedded device 
stream-oriented data, and (8) national security safeguards. 30 public/private key pair for device signatures to be issued by 
Manufacture of the TYusted Device the device, where the private signature key is non-readable 

Manufacture of trusted devices of the present invention is and taiiq)er-resistant. The cryptographic signature keys may 
based on the presence of the following general features: be of any acceptable oyptogr^hic type, such as RSA. 

(1) An embedded microprocessor (or miaocontroller), a However, because RSA has bofli encryption and signature 
miniature computer that mediates all outside access and 35 capabilities and because it is desirable to isolate the signa- 
pcrforms various computational and programming opera- ture and encryption processes, the cryptographic signature 
tions; l^y should preferably be DSA. The chip would also include 

(2) An optional cryptographic coprocessor, which can an embedded and tamper-resistant manufacturer's certificate 
perform standard mathematical encrypting and decrypting for the device signature key, an example of the format for 
operations at much hi^er speed than can a general puipose 40 whidi is shown in FIG. 14. The device containing the chip 
microprocessor and which will preferably contain a hard- can append ttiis certificate to its signatures in ocde^ to prove 
ware noise source, such as a diode noise source, to assist in that the signatures originated from a device of known and 
the generation of ceitifiably random numbers as needed fcr trusted type having the qualities described bdow. 
cryptographic key generation; A chip manufactured for use in an embodiment of the 

(3) An input-output interface or subsystem to assist m 45 present invention would also include the manufacturo-'s 
handling the flow of data and conmiands to and from the public signature verification key embedded within the chip 
microprocessor, which may include a status display or in a tamper-resistant manner. The manufacturer's public 
monitor; and signature key can be used by the user to verify instructions 

(4) A* memory subsystem that may potentially employ received from others by checking whether those instructions 
several types of memory storage tedmology, each having a 50 have attached a valid digital signature created by the noanu- 
diffeient characteristics of permanence and accessibility, facturer's private signature key, in order to determine 
such as (a) Read Only Memory ("ROM^) that can contain whether those instructions originated with the manufacturer 
permanent and unchangeable programs and data, (b) Elec- or one trusted by the manufacturer. The chip may also 
trically Erasable Programmable Read Only Memory include embedded and tamper-resistant public instructions 
("EEPROM**) or "FLASH" memory, that can contain semi- 55 keys that can be used by the user to verify instructions 
permanent programs and data, i.e. they can be changed but received from others. The pubUc instructions key could be 
nevertheless are not lost when device powa is lost or shut the pubUc key of some other trusted enUty, such as Bankers 
off. and (c) Random Access Memory ("RAM"), which can Trust Co.. selected by the manufacturer or could be die 
be used for temporary calculations and temporary data public key of a trusted national or global system- wide 
storage but is lost when power is shut off. 60 authority, and may optionally be embedded into die diip by 

The entire device is designed and manufactured in such a the manufacturer fOT use as a "short-cut" to avoid having to 
way that all its elements, including especially the pcnnancnt verify the extra manufacturcr-to-tiusted-entity certificate, 
and semi-permanent naemory areas, are shielded from tarn- The manufacturer could install several insfruction keys of 
pering that might reveal their contents or alter their modes various qualified key escrow houses that the manufacturer 
of operation. One way to shield the device elements from 65 selects and believes to be capable and trusted, 
tampering is through the use of special coatings that are Furthermore, the chip used in an embodiment of the 
difficult to remove without destroying the information that present invention would have the ability to generate a 


12/09/2003, EAST version: 1.4.1 


5J99,086 

15 16 

pubUc/i^ivate key pak for encryption aDd decryption of data systems. In this embodiment, the device signature would 
and communications by the individual user. The crypto- certify not only that the user's device is of known tamper- 
gr^hic encryption keys may be of any acc^table asym- resistant properties but also that every key or random 
metric cryptographic type, such as RSA. The cryptographic number generated by the device was randomly generated 
keys should, however, preferably be of the Diffie-Hellman 5 anew each time using a high-quality random number 
type, i.e. the user's seaet number is the private key and the generate, preferably a diode noise source, 
user's publicized intermediate number is the public key. In manufacturing the trusted device containing the chip of 
which are together used in the Certified Diffie-Hellman the present invention, the chip's memcxy is divided into at 
scheme to generate a session key that is used to encrypt and least three general areas as follows: (1) permanent and 
decrypt communications. The private key so generated is 10 non-modifiable memory space containing data and firmware 
then stored inside the chips in a non-readable and tamper- embedded into the diip during manufacture; (2) semi- 
resistant manner. In addition, the chip would also have the permanent and modifiable memory space containing data, 
ability, once a pubUc/privale encryption key pair for that such as the user's private cnaryption and signature keys, 
device has ah-cady been generated, to rckey and generate a generated for the user and held in trust for the user by the 
new public/private encryption key pair in place of the 15 chip, which data and keys may be utilized by the dxip to 
previous key pair. In another embodiment. Interactive make digital signatures ox to decrypt on the user's behalf but 
Diffic-Hellman key generation can also be used* as discussed which are never disclosed outside the device; and (3) 
later, in order to ensure that all senders and recipients non-permanent and tcnqx>fary memory space containing 
contribute new random numbers to generate the message work area used for tciiq)orary storage of fl»e inputs, inter- 
session keys. 20 mediate results and final results of various data processing 
In the preferred embodiment of this invention, the trusted opaations. Depending on the design, these tfirec general 
device will have the ability to decrypt encrypted conununi- areas could each reside in a dififcrent type of memory storage 
cations only on two conditions. The first condition is that system, such as ROM for permanent ft^ fl, EEPROM or 
valid master escrow center certificates for both the sending FLASH memory for user data held in tnist, and RAM for 
and the recipient devices must have been fed into the device 23 volatile temporary storage. Another i5)proach might be to 
prior to its receiving the encrypted transmission. Each use FLASH memory for botfi permanent and non-permanent 
certificate is valid if it is signed by a master escrow center data. Yet another option is to utilize a di^) operating system 
certifying that the private decryption key of that device has that would manage tiie microprocessor's memory using a 
been esaowed with one cm: more qualified escrow agents, directory of objects. Under this approach, one portion of 
and preferably with two or more Micali-stylc agents that 30 memory can be devoted to a table or directory of the other 
employ a verifiable key-splitting protocol. This master items in memory and may include standardized information 
esaow center certificate cither must be accompanied by for each object, such as: 

another certificate issued by the manufacturer estabUshing logical name (e.g., '*manufacturer's pubUc key"); 

the named master escrow center as a valid escrow agent, or t~ _ \ 

must be signed by a third party (a trusted national oTglobal 35 ^ ^T'fT^ ^T ' 

system-wide authority) named as a holder of a puhUc ^ 

instructions key embedded into the chq) by the manufac- ^ modified (<^onal); 

turer. The second condition for decryption is that the mes- protection level (permanent, user or volatile); 

sage to be decrypted must be preceded by a valid Message disclosure level (externally readable w not externally 

Control Header ^CH) data field (the format for which will 40 readable). 

be described later) so that law enforcement or enq>loyer In this maimer, so long as the whole memory is equally 

security personnel will have sufficient data firom which to teii^)er-Tesistant, no special areas need be designated for 

obtain the recipient's escrowed private keys and therewith protected or non-protected data because the micrcpTOcessor 

monitor the communication. can readily enforce the desired level of protection based on 

In another embodiment of this inventioo, the clap will 43 thccodccontaincdinthcrclcvantdircctary entry for the data 

also have the ability to genoate a public^vate key pair to object. This scheme can also ^ly to firmware code routines 

be used for user signatures, distinct from the embedded key just as easily as to data, and may be advantageously applied 

pair that is used for device signatures. As with the device when upgrading or replacing trusted firmware code routines 

signature key pair, the cryptographic user signature keys without needing tophysically replace the device or any of its 

may be of any acceptable cryptograjAic type, such as RSA, 50 memory units. 

txit should preferably be DSA. again to avoid any possible The protected memory areas of a device of a preferred 

confusion with the keys used for message encryption. The embodinoent of the present invention might contain the 

user signature private key should be non-readable and following types information, including both data and 

tan^)er-resistanL The user would use the signature private firmware program code. 

key to sign his communications for sender verification and 55 A. Permanently Embedded by Manufacturer 

non-repudiation purposes. In still another embodiment of 1. May Be Externally Disclosed 

this invention, the chip also has the ability to use the device a, system-wide authority public key (optional) 

signature key in order to sign a request for certification of the b. manufacturer public key 

Z ^n^' 'TIT it lias generated for the user, ^ nianufacmrcr certificate torn system-wide authority 

thus provmg that the user signature key pau" was generated ^ a a - m- u 

by, and the private key is being safeguarded by, a device of ^ P"^"^ ^^^^ 

known tampcr-rcsistant properties. In further embodiments ^^^^ certificate from manufacturer 

of this invention, the chip may also have a hardware noise ^- ^vioe unique serial number 

source, such as a diode noise source, to generate random S- firmware version numbers 

numbers during key generation, and a unique physical 65 h. trusted bank public instruction keys 

device serial number to allow the device or its actions to be 2. May Not Be Externally Disclosed 

tracked in accounting, network management and inventory a. device private signature key 
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3. Firmware 

a. operating system and file system 

b. basic cryptographic library routines 

c. escrow system routines 

d. other trusted applications code 

B. Generated by User Operations and Held in Trust for User 

1. May Be Externally Disclosed 

a. user's public encryption key 

b. user's public encryption key escrow certificate 

c. user's public signature key 

d. user's public signature key certificate 

2. May Not Be Externally Disclosed 

a. user*s private decryption key 

b. user's private signature key 

C. Other Non- Volatile Read-Write Storage (Optional) 

a. correspondents' signature certificates 

b. correspondents' escrow certificates 

c. correspondents' device certificates (for MCH 
verification) 

D. Working Storage (Could Be VolatQc) 
Public keys (all types), certificates (all types), hash 

values, signature blocks* other data structures being pro- 
cessed. 

Key Escrow Process 

After the chip of tfie present invention has been manu- 
factured and prica- to using the chip to encrypt or decrypt 
conmiunications, the user's public decryption key nuist be 
registered with a master escrow center or with escrow agents 
appcoycd by the chip manufacturer. Either the user may 
perform this operation himself or the manufacturer may 
initialize and register the diip with an escrow agent during 
manufacture, thus relieving the user of the requirement to 
escrow his keys by himself. However, the manufacturer 
could still leave ttie user the option to rekey by himself at a 
later time. For many individual users, allowing the manu- 
facturer to register the chip, either with or without a rekey 
option, will be sufficient. In addition, consumers would most 
likely trust in the esaow agents chosen by the chip manu- 
facturer. CocpcH^ons or other employers could program 
their own chips and the diips of their enqiloyees. and could 
register the chips widi escrow agents of their own choice. 
Corporatioiis. however, would generally not pennit their 
en^loyees to rekey on their own. because this could result 
in loss of control over corporate ixkformation and assets, as 
discussed above. 

In order to generate and register a decryption key, the user 
(or whatever entity is performing the operation) invokes a 
firmware program that has been embedded into the diip and 
that instructs the diip to perform the particular steps of the 
Micali key escrow method or of the specific key escrow 
method that is used. See FIGS. 9-11. 15 and 16. Using 
whichever method is chosen for escrowing the private key 
with one or more esaow agents, the chip will first randomly 
generate, or choose, a secret number that will be the private 
decryption key for that user (as wcU as the other, public 
numbers that will be required, if those numbers have not 
already been set by some other prior random generation). 
The chip will store the private key in a non-readable and 
tamper-resistant manner. As shown in FIG. 15. the private 
decryption key can be escrowed with a single escrow agent 
The trusted device 150 first generates a public^rivate 
encryption key pair 151 for the user and then sends to the 
escrow center 153 an encrypted and signed message 152 
consisting of the encryption key pair 151 and the device 
serial number 154. with the manufacturer's certificate 155 
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for signature verification. The escrow center 153 v^ifies the 
signatures, decrypts the message packet and stores the user's 
private decryption key. The escrow center 153 also sends to 
the user a signed certificate 156 consisting of the user's 
5 device serial number 154 and the user's public encryption 
key 151 and the device's public signature verification key 
157, with the escrow center's certificate 158 for signature 
verification. Once the user's device verifies the esaow 
center's signature, registration is complete. 
10 If the private key is to be escrowed with more than one 
escrow agent, then the chip will then break the private key 
into several pieces called key splits, according to a specific 
formula. Using the Micali esaow method and algorithm 
described earlier and shown in FIG. 9. the chip will next 
IS confute certain values 90 using the special Micali algorithm 
such that each value is based upon a mathematical transfor- 
mation of one of the private key pieces 92. The chip then 
forms one share packet for each trustee or esaow agent 94 
designated by the user, each share packet 93 containing the 
20 unique serial number of the user's device, one private key 
split and the set of certain values that enable the particular 
trustee to verify the received private key split as a valid part 
of the comjHete private key, without giving the trustee 
knowledge of the complete private key. As discussed later. 
25 if the user is not the owner of the device but rather, for 
example, an ciiqployee of the emidoycr-owner, the trustee 
share packet would also include the unique identification 
number of the owner of the device and the device's owner 
certificate so that employer-owner would be able to obtain 
30 the private key of the employee-user without having to first 
obtain a warrant The chip then signs each trustee share 
packet using the imique device private signature key and 
attaches the manufacturer's certificate f<B' the transmitting 
chip, thereby attesting that the information transmitted origi- 
35 nated from a device of known and trusted type. Finally, die 
chip will output each signed trustee share packet for ddivery 
by the user to a trusted escrow agent. 

There is another, preferred way for flie master esaow 
center to verify the separate key splits, without using the 
40 Micali m^od, by relying upon the trusted device alone. 
Using this method of verifying the key splits, shown in FIG. 
16, the chip generates one random number for each key split 
of the private encryption key. The chq) then forms one share 
packet 161 for each trustee or esaow agent 163 designated 
45 by the user, each packet containing the unique number of the 
user's device, one private key split and one of the random 
nudbers. The chip signs each trustee share packet using the 
unique device private signature key and attaches the manu- 
facturer's certificate 162 for the transmitting chip, thereby 
50 attesting that the information transmitted originated from a 
device of known and trusted type. As with the Micali 
method, the chip then output each signed trustee share 
packet 161 for delivery by the user to a trusted esaow agent 
163. In addition, the chip must also aeate a message 
55 (encrypted) 164 to the master escrow center 165 containing, 
among other things, the user's public encryption key and the 
names of the esaow agents designated by the user and along 
with die random number given with flie key splits to each 
respective esaow agent 
60 It is possible, however, because eadi trustee share packet 
contains a private key s|^t that a third party with access to 
communications from a user to the escrow agents could read 
the contents of all the user's share packets andrecombine the 
private key splits within those packets in order to reassemble 
65 the comj^cte private key. Then, using the private key, that 
third party could decrypt and encrypt communications in the 
name of die usa. The best way to avoid this situation is by 
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using enoypted communications systems when sending 163. and verifies that the individual random number 
share packets from users to escrow agents. The user would received from each trustee matches the random number that 
obtain the public encrypUon key certificate 166 of each the user device stated was given to that trustee. Note that 
escrow agent selected for escrowing the user's private key. under diis method the escrow agents 163 and master escrow 
where each certificate is signed by the master esaow center 5 center 16S rely solely upon the trusted device's signature on 
certifying that the particular escrow agent is trusted by Ac the share packets 161 to assure themselves that the escrow 
master escrow center to receive and store a key spUt packet, is proper. This esaow and verification method does not need 
and would then verify the master escrow center's signature to perform any secondary mathematical operations in order 
either using a certificate from the device's nianufacturcr (ch* to verify that the escix)w is proper or that the public key 
from a systena-widc authority) or using a precmbcdded lo presented for certification matches the deposited key frag- 
instnictions key The device would then encrypt for each raents. Although from the standpoint of public, user or 
escrow agent based upon that agent's certified public systemwidc trust, it might still be desirable to utilize a 
encryption key a transmission 161 that includes the user's verifiable key esaow algorithm sudi as the Micall process, 
private key share packet. Alternatively, die manufacturer it is clearly not necessary and may be dispensed with wheii 
could embed into die diip the public encryption keys of i5 theaddcdcostof using such a process cannot be justified. In 
several trusted escrow agents matched with an instructions addition, by this method of relying upon the trusted device 
key for each, as discussed earlier, in order for the user to alone, there is no limit to the complexity of the key splitting 
send his private key splits to escrow agents trusted by the schemes that can be devised, because there is no need to 
holder of the instruction keys, which is typically the master devise complex secondary algorithms to verify correct pcr- 
escrow center. This way, all the escrow agents in the masta 20 formance of any given scheme. It is necessary only to trust 
escrow center's or the manufacturer's '^family" could the integrity of the device manufacturer tfiat embedded the 
decrypt user requests for escrow, while sparing the user (he firmware code and to trust that the device will resist lam- 
burden of obtaining the public encryption bey certificates of pering. 

ail esaow agents. After verifying all the user' s private key splits, the master 

Once each escrow agent or trustee 163 receives the 25 esaow center itself further ^iprovcs the public encryption 

^jpropriate share packet 161 from the user or from the user's key that aMieqwnds to the private decryption key that was 

device, die trustee inspects flie private bey split received in approved by all the user's trustees; the master escrow center 

the trustee share packet 161 from the user's device and, 165 proves the public key by issuing a signed certificate 

together with the master escrow center 165, verifies that it is 168 (caUed the master esaow center certificate, the public 

a valid and correct part of the con^etc private key. It is 30 enoyption key certificate, or sin^)ly, the escrow certificate) 

necessary for the esaow agents and the master escrow certifying that the private key corresponding to the public 

center to have a reliable means of proving or verifying that key being certified has alieadjr been esaowcd in the proper 

the fragments of the user's private decryption key have in fashion. The public signature key of the user's device, 

fact been deposited. It is desirable that verification of the key obtained from the device's manufacturer's certificate, can 

sphts be accomplished by the escrow agents and the master 35 also be placed in the master escrow center certificate, thus 

esaow center without ever inspecting or possessing diose eliminating the need to send or reverify the device manu- 

fraginents itself, or ever bringing them together in one factura certificate at later points in the process. The master 

location. The Micali "Fair" esaow system provides one esaow center certificate could be formatted as follows: 

highly trusted way for the escrow center to verify die Version Number 

separate deposits of the key fragments. In the Micali 40 r^w^fi^.t* c-^oi xr 

method, shown in FIGS. 10 and ll,lh^ verification is done ^"^"^ Certificate Serial Number 

with the set of certain values that were computed by the Master Esaow Center Country Code 

usa's chip during preparation o£ the share packet through Master Esaow Centa Name 

use of a qiedal Micali algorithm and that wae Included with Master Esaow Center Public Enoyption Key (for use in 

(he key split in each share packet to fee escrow agents. The 45 acating LEAF) 

Micali algOTithm and bey spUt verification arc known in the user Distinguished Name 

art and need not be repeated hac. Each trustee M then stores it n. uu ^ ^ ^ ^ 

the device's manufS^'s certificate for later use in Enayption Key (hereby bemg certified) 

decoding, and approves the key spUt 93 by sending an Dtvict PubUc Signature Verification Key (to verify 

appropriate signed message 96 to the master esaow center, 50 <|^cyicc signature) 

along with the user's name and device certificate, and by Validity Date (start/end) 

signing and storing the key split 90. Only when presented Master Esaow Center Signature 

with eitha (a) a warrant or court order or (b) a signed request [Master Esaow Center System-wide Certificate] 

from the lawful owner of the device will die trustee reveal Public enayption key certificates that have been issued by 

the piece (or pieces) of a given private decryption key in its 55 the master esaow center arc distributed and can be used 

possession. eitha by the device owner in order to activate his device to 

Using the iffefcrred esaow and verification method rely- originate encrypted messages or by others to encrypt mes- 

ing on the trusted device alone, shown in FIG. 16, each sages lo die owna of the device containing that user's 

trustee 163 transmits a message 167 to the master esaow public/private encryption key pair. 

center 165 identifying the user's name, public encryption 60 It should be noted that the present invention does not 

key. device numba and the random number it received. In require more than one esaow agent to be the recipient of the 

addition, the user device sends a packet to the master escrow user's private encryption key splits; in some cases, it might 

center 16S containing the random numbers used for vcrifi- be enou^ merely to deposit the user's private decryption 

cation of the private key splits, and that packet should be key with a single escrow agent (or esaow center). However, 

encrypted using the master escrow center's public encryp- 65 in order to enhance user and public trust in die system, it is 

tion key. The master esaow center 165 receives the mes- desirable to split the user's private deayption key among 

sages 164,167 from the user device and from the trustees several esaow agents such that all the key splits, or some 
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specified number of thciXL arc required in order to reas- restriction on both parties is needed in order to enable law 
semble the user's key and deciypt his communications. It is enforcement agents to lawfuUy intercept and decrypt raes- 
further desirable that each esaow agent be an independent. sages being both sent and received by a given suspected 
trusted business operation, thereby effecting "split user, without neccssarUy obtaining the other, non-monitored 
knowledge " so that in the event of atteirq)ted corruption, 5 party's private decryption key and. thereby, access that 
bribery, extortion or abuse, it will be much more difficult to non-monitored party's unrelated messages, 
wrongfuUy obtain the user's private decryption key than it One way to address this issue, while still allowing more 
would be if the private key were stored with a single entity. than one manufacturer to make cryptographic devices, is to 
It is also desirable that the entities be separated geographi- embed into the device <x into a certificate issued by cither 
cally in order lo further suppress attempted subversion ot lO the user's master escrow center or the chip manufacturer a 
corruption. public key firom a trusted national entity, for example the 

Encryption of Coimminications Federal Reserve Bank ("FRB*'), which could be used to 

A user who desires to send an encrypted communication verify yet another certificate issued by the FRB to each of 
to another user must have an escrow certificate for his own the other various master csctow centers or manufacturers, 
device and an escrow certificate for the intended recipient's 15 Such a certificate would verify the trustwoitimiess of the 
pubUc encryption key, because the device <rf the present particular master escrow center or manufacturer and would 
invention will neither encrypt nor decrypt if either is miss- be signed by the FRB. A sending user could then obtain the 
ing. First, the sender must load his own valid certificate bto public encryption bey certificate of an intended recipient and 
the device, typicaUy when he first receives it firom ttie master could trust die master escrow center that issued the certifi- 
csaow center. Then, the intended recipient's pubHc key 20 cate because the roaster escrow center was accredited by the 
certificate can be obtained either fi-om the intended lec^ient FRB. radier than by the chip manufacturer, as certified by the 
direcUy, from a directory service Usting public key FRB pubUc key or certificate. Also, the signature of a 
certificates, or fi-om the sender's local file, e.g. a file of users particular device could be trusted because the other manu- 
with whom the sender has previously exchanged encrypted facturer that certified that device was accredited by the FRB, 
communications. In one embodiment of the present 25 as certified by the FRB certificate or pubUc key. In order to 
invention, because Ac sender's device will not encrypt and deal with this issue on a less parochial United States-based 
the recipient's device win not decrypt unless the recipient's level and prom<rte a more international and worldwide 
pubUc encryption key certificate is * Valid,** in order for the system, the pubUc key of a trusted global entity, such as flie 
recipient's device to decrypt the encrypted message, the Bank for International Settiements in Switzerland, could be 
recipient's public encryption key certificate must be signed 30 embedded into either the trusted device, the FRB certificate 
by either (a) fee recipient device's nwnufacturcr (this is or the master escrow center or manufacturer certificate 
unlikely to be the case because device manufacturers will (depending upon the trust model employed), and could 
most probably not be escrowing user's private keys); (b) (he operate the same way discussed regarding the FRB key, in 
master escrow center, and accompanied by a manufacturer's order to accredit niaster escrow centers and manufacturers 
certificate ^jproving the master escrow center as a vaHd 35 on a worldwide basis. Another way, albeit one not involving 
trustee; or (c) a trustee or master escrow center whose U.S. or worid authorities, fOT one device to trust the escrow 
instructions k^ was embedded into the device during manu- centers certified by another manufacturer is for the device 
facture. Using tiie intended recipient's certified public manufacturers master escrow centos to cross-certify each 
encryption key as set fortii in fee recipient's pubUc enoyp- other. This would aUow the sender's device to help enforce 
tion key certificate, the sending user then generates a session 40 the recipient's escrow restrictions by allowing the sendo-^s 
key f<x use by both the sender and the recipient to encrypt device to verify the certification path of the redirient's 
and decrypt the communication. This session key can be escrow certificate back through the recipient's device manu- 
generatcd preferably using the Certified Diffie-Hellman facturer or master escrow center to his owa In toe pcf erred 
method or, alternatively, any other equivalent system. In the embodiment, the public key of a trusted system-wide entity 
Certified Diffie-Hellman method, tbc user first randomly 45 would be embe<lded into the tnistcd device and would 
generates his ephemeral joivate key for that message and <^ate the same way discussed above regarding Uie FRB or 
then computes the session key based upon his own private global entity key, in order to accredit all the master escrow 
key and the recipient's pubUc key (i.e., the recipient's centers and manufacturers on a system-wide basis, 
intermediate number and the two public numbers, which are Whencvo- any user, entity or device ^Verifies'* a digitally 
all contained with the recipient's pubUc encryption key 50 signed "certificate," whether a manufacturer's certificate 
certificate). Then, using the session kcy» the sender encrypts an escrow certificate, issued by a certifying authority or 
the message to be sent to the recipient user. manufacturer, it is common practice in most or all actual and 

However, in deciding whetiier or not to send an encrypted proposed public key certificate management systems (and it 
message to the intended recipient, tiie sender may be unable is assumed throughout tius disclosure) that die user, entity or 
to verify the properties of the recipient's pubUc encryption 55 device also diecks any ^licable "certificate revocation 
key certificate or of the digital signatures thereon if the lisr (^^CRL") in order to determine whetticr tiie certifying 
sender's device were made by a manufacturer different from authority or other issuer has distributed, propagated or 
die one that made the recipient's device. The fact tiial tiie otiierwise made available a list of revoked certificates thai is 
recipient's device was made by a different manufacturer updated in accord with an appropriate security poUcy and 
would prevent the sender's device from easily verifying €0 whcdicr, based upon die issuer name and certificate number, 
either die manufacturer's signature or the certificate of tiie die certificate has been revoked, A certificate issued to a user 
manufacturer (that certified the niaster escrow center that could be revoked for death, name or employment change, or 
signed the recipient's key escrow certificate) stating tiiat tiie loss, theft or destruction of die device (die personal smart 
recipient's master escrow center is valid and approved by card) containing the private key. A certificate issued to an 
that manufacturer. Likewise, tiie rec;q)ient*s chip would be 65 entity may be revoked due to cessation of business, name 
unable to verify these conditions widi respect to die sender's change, or loss, theft or destruction of the device containing 
certificate before decrypting. Enforcement of the escrow the private key. A certificate issued to a device naay be 
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revoked due to loss, theft, removal from service or destruc- 
tion of the device. The checking of CRLs during certificate 
verification is well-described in the public literature (e.g.. 
ANSI X9.30-Part 3) and does not require further discussion. 
All users, entities and devices will normally have access to 5 
appropriate telecoimnunications facilities and can retrieve 
CRLs or perform inquiries as desired. Likewise, under die 
present invention, all entities issuing CRLs are presumed to 
make them available to all interested parties. 
Message Control Header FtMinat 

When sending an enciypted communication, the sending 
user must also form a suitable Message Control Heada 
(MCH) field containing the following information: 

(1) The sender's intcrmedialc number for the encrypted 
message. coirqHJted by the sender using die sender* s ran- 
domly generated ephemeral private key that was also used 
by the sender to compute the session key with which the 
message was encrypted. The recqiient user must have this 
intennediate number in order to compute the session key for 
decrypting the message. 

(2) The name and country code of the sender's master M 
esaow center. 

(3) 'nie name and country code of the recipient's master 
esaow center, obtained fr<Hn the recipient's public key 
certificate. 

(4) The sender's escrow certificate number, encrypted 25 
using the public encryption key of the sender's master 
escrow center (obtained from the sender *s escrow 
certificate) so that only the sender's master escrow center 
may decrypt it 

(5) The sender's intermediate number (different from the 30 
sender's previous intermediate number) that was used by the 
sender to compute the ephemeral session key with whidh the 
sender's certificate number was encrypted to the sender's 
master escrow center. The sender's master escrow center 
must have this number in order to c<»npute the ephemeral 33 
key for decrypting the sender's certificate number. 

(6) The session key for the encrypted message, encrypted 
using the sender's own public key (the intennediate number 
from the sender's own public certificate), so that in eflfect the 
sender sends the message session key to himself. Law 40 
enforcement can gain access to this message session key 
once it obtains the sender's private key oon^wnents from the 
sender's escrow agents. 

(7) The sender's intermediate number (different from the 
sender's two previous intermediate numbers) that was used 45 
by the sender to compute the ephemeral key with which the 
message session key was encrypted to himself. Law enforce- 
ment must have this number in order to conqxite, using also 
tfie sender's private key (his seaet number) obtained from 
the sender's master escrow center, the ephemeral key for 50 
decrypting the ntessage session key. 

(8) The recipient's certificate numba:, encrypted using the 
public encryption key of the recipient's master escrow 
center (obtained from die recipient's escrow certificate) so 
that only die recipient's master escrow center may decrypt 53 
it 

(9) The sender's intermediate number (different from the 
sender's dircc previous intermediate numbers) that was used 
by die sender to compute Uie ephemeral key with which the 
recipient's escrow certificate number was encryi^d to the 60 
recipient's master escrow center. The recipient's master 
escrow center must have this number in order to conqxitc die 
q>hemend session key for decrypting the recipient's certifi- 
cate number. 

(10) Timestan^) (optional), for tracking purposes and 63 
possibly to assist in die enforcement of warrant date and 
time restrictions. 


(11) The signature of the sender's device, 

(12) The sender's public key escrow certificate Issued by 
the sender's master escrow center. The sender's escrow 
certificate contains the sender's device public signature key. 
which the master escrow center had pre-verified and then 
copied from the sender's device's manufacturer's certificate. 

(13) The master escrow center's certificate from the FRB. 
the manufacturer or whatever system-wide authority is 
trusted, if the recipient's chip is made by a different 
manufacturer, appended to die sender's escrow certificate. 
The certificate of the manufacturer, the FRB or die system- 
wide authority is needed only for the first communication 
between the two parties. The certificate could also be a 
cross-certificate from the rec^ient's ixtanufacturer or master 
esCTOw center. 

The MCH thus described could be summarized as fol- 
lows: 

Sender Intermediate Nuntiber (to allow the recipient to 
decrypt die message) 

Sender Master Escrow Center Country Code 

Sender Master Escrow Center Name 

Recipient Master Escrow Center Country Code 

Recipient Master Escrow Center Name 

Sender Escrow Certificate Number, encrypted for Sender 

Master Escrow Center 
Sender Intermediate Number (for encrypting die sender 

certificate number) 
Message Session Key. encrypted for sender 
Sender Intermediate Number (for encrypting the message 

session key to die sender) 
Recipient Escrow Certificate Number, encrypted for 

Recipient Master Escrow Center 
Sender Intermediate Number (for encrypting the recipient 

certificate number) 
Hmestan^ 

Sender Device MCH Signature 

[Sender Escrow Certificate] 

[Escrow Center Certificate] 
FIG. 17 shows a process for sending an encrypted message 
176 widi a MCH. The entire MCH 172 (die appended 
certificates 173,174,175 are not tedmically part of die 
MCH) is signed by the sender's device 171, using die device 
private DSA signature key. widi die embedded certificate of 
the manufacturer qipended thereto (within the sender's 
esaow certificate) in order to certify the device's public 
signature key. This guarantees diat the entire MCH is 
delivered intact to die recipient and diat the recipient's chip 
can easQy verify that die MCH has not been modified. The 
manufacturer's certificate might be acc(»npanied by an 
national (FRB) or a world-authority certificate to certify the 
trustworthiness of the manufacturer of the sender's chip in 
case the recipient's device was manufactured by a different 
manufacturer. 

In another embodiment of this invention, a second, shorter 
MCH format could l>e used for the case in which total 
privacy is not crucial. In tfiis MCH, neitticr the Sender 
Certificate Number nor die Recipient Certificate Number are 
encrypted for the respective master escrow center. Not 
encrypting the certificate numbers saves much time and 
space in creation of die MCH. In still another embodiment 
of this invention, a third, even shorter MCH format could be 
used for the conunon case in whidi the senda and the 
recipient bodi utilize the same master escrow center for key 
escrow purposes, by making ECl identical to EC2. By 


12/09/2003, EAST Version: 1.4.1 


5.799.086 

25 26 

eliituaadag the need in the MCH for identifying information session key prior to communicating, the initial key- 

of the second master escrow center and for the special exchange protocol may be modified to aUow a would-be 

intennediate number that is used for encrypting the recipient recipient's device to generate a new ephemeral Diffie- 

certificate number to the second master escrow center, the HeUman seaet numto separate and fr;>^ ^^^^^^^^ 

MCH can be made significantly shorter. Furthermore, the 5 ^^^^^ f^^^^^^y;,^^^^^ 

sizeof theMCH«>u,dL fv^hf ^^^^ ^dr^S^te^'c^"^^^ t 

tmnsport to encrypt a DES key for the message and for each i^nr^ private 

of the three encrypted inner LEAF componente^AccoMing j^^^'^,! used to generate ttie intermediate numbers 

to this method, each sender mtermediatc nuinbcr would be .^^^^^^ the MCH) and the ephemwal session keys that 

replaced by a smaller RSA-wrapped DES key. Thus, the lO ^^^^^ ^^^^ portions of the MCH. This 

sender could RSA-encrypt the message session key for the modification requires, however, that generation of the new 

recipient and eliminate die need for the first intermediate ^^^^ number occur inside the would-be recipient's device, 

nuniber in the MCH. The sender could also RSA-encrypt the q^w secret number remain inside the trusted device, 

message session key for himself (actually, for law enfOTce- ^he new intermediate number be signed by the 
ment to decrypt later) and thus eliminate the need for the i5 would-be rec4)ient*s device prior to being sent to the send- 

third intermediate number in the MCH. The sender could er's device for the purpose of attesting that tiic new ephem- 

fiirther RSA-encrypt his own and the recipient's certificate cxal secrrt number is indeed confined securely inside the 

numbers and thus eliminate the need for tiic second and recipient's device. As before, the sender's device generates 

fourth intermediate numbers in the MCH, As shown in FIG. a new secret number that is sg>arate and apart from die 
18, eliminating the four intermediate numbCTs and its asso- 20 sender's csaowed private key and, using tiiat new seaet 

dated encryption and repUdng each intmnediate number nuniber and die recipient's new intermediate number, gcn- 

with a smaUer RSA transport encryption 181 saves a sig- erates the message session key for decrypting the message, 

nificant amount of space of he MCH size. ^ht sender's device will also use die sender s new seo^ 

Contribution of Random Material ^ B<^»«"^^ ^9 ^""^"^ ' 1*^^ intermediate number 

^.OToiDuaon oi i«iiuom iwttuii Ml whldi wiU bc sent to the redpient's device as an element of 

Some may be concerned that a message ^eswon toy 25 w ^iietapping purposes. In ttiis method, tiie 

exdi^ged usmg on^ytheM^ mL^Tse sion key 

Certified Diffie-Hellman sdieme is no^ rial contributed by both Uie sender and the redplent as 

because, with eitficr of diese two methods, aldiough both the ^icsircd. 

sender and the recqrient provide information, only the However, under this modified key-exchange protocol, 

sender generates the message session key. However, under 30 y^^^^ ^ redpient and sender in eflfect use new Diffie- 

military standards for secure communication, bodi sender HcUman private keys for eadi message, the escrow feature 

and recipient must contribute randcnn material in generating **disq)pears,'' as law enforcement and corporate man- 

a session key prior to each communication session, q>par- agement would never be able to obtain those q)hemeral 

entiy in order to reduce die chance that the sender might use message session keys from the escrow agents. Hieref ore, the 

a weak key or use die same key repeatedly and thereby 35 needs of the escrow system and die community of interest 

subject die recipient to an undesired security risk against his require that die message session key be transported in the 

will. The system of trusted devices contemplated under this MCH as before. In fact in order to assure equality of 

invention can alleviate this fear in two ways. First it can ti5>ping, all fields that were before disdosed as part of die 

ensure tiiat die sending device will generate cadi key MCH remain so. The field transporting die message session 

separatdy using random numbers derived from die noise of 40 key to die sendo- (which is the only way for Uw enforcement 

a built-in hardware noise source, such as a reverse-bias agents who are wiretapping die sender to rcadUic message) 

diode, as discussed earlier. Then, so long as die device signs must stiU be indudcd in the MCHin order to preserve die 

die MCH or message control header, die redpient would be pn^dple of equality of ^^g^^^^^S^ T^n^ 

assured tiiat cadi message session key and die random wiU be enoypted mto die MCH, a? before, J^e 

<usiuwu uKu. uxwi>««e _ J . sender s oublic encryption key, to which law enforcement 

numbers used m generatmg U are strong and umque. SuU, 45 ^^^^U^Wc^^ sento's new intermediate number 

those msistent upon ercatcrsocunty may demand contnbu- ^^^^^^ recipient as the first element of die MCH, 

tion of random matcnal by botii sides of die cormnunication, ^ enforcement to wiretap die 

as defined for Type-1 miUtary systems for classified infor- ^^iiaenl and con^te die message session key. Thus, in 

mation. to accommodate die Interactive Diffie-Hellman key 

Hius far in tiiis disdosure, the sender has been desaibed 50 exchange technique, diis protocol requires diat die would-be 

as generating message session keys based on the recipient's redpient' s new intermediate number bc generated inside and 

public encryption key as contain^ in his escrow certificate, signed by his device, and requires that the sender's new 

but not based on random material received from the recq>i- intermediate number be added to the MCH, not used in place 

ent during die setop phase of die communication. Arranging of the previously stated key transport methods, as that is die 

for the sender to receive a contribution from the redpient 55 only way the community of interest (law enfcacement 

however, aeates a new probleoL The redpient cannot en^loycrs, and odiers) can read the message. This method, 

simply be allowed to generate a Difi&e-Hellman intermediate however, would not be economical for transactions besides 

nuinber on his own and send it to the sender for use in on-line phone, networks or dial-up transactions, because the 

generating a message session key, because the recipient then device would have to remember too much. le. the spedal 

would no longa be using the escrowed private key within 60 intermediate numbers for eadi counterparty. This methcxi is 

his trusted device to decrypt messages and because their preferably to be used in cellular phone, network logons, etc., 

communications could never be monitored by law enforce- through which a purely real-time interactive session is 

ment Continued success in enfordng the escrow scheme desired. 

requires that neither sender nor recipient be able to read a * t * ► u 

^ ..... • * jT_ J J • Community Interest Headers 

message wittiout usmg a registered trusted device. 65 ^ / 

In order to allow a situation in which bodi die sender and The MCH will generally be placed before die encrypted 

die redpient contribute random material to die message message, as a message header. In many cunent electronic 
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mail and document systems, several recipients are enabled MCH formats, this MCH format can include the message 

to read one encoded message, using the RSA transport session key encrypted direcUy to the eiqjloycr 257 so that 

embodiment of the MCH design as discussed above, by u,e employer need not go lo the master escrow center and 

RSA-enciyptmg the m«sage session key using the public agents in order to obtain the message sessioD key for 

enciypt.on key of each recipient. That is. when several , jeoypting the message. Although possibly impinging on 

recipients are intended to receive the same encrypted employee expectadonl of priva^ tothe wo^laa. to 

message Ae MCH header can mdude. for each intended fon„at can Sow employ^ to check or r^va th^ 

recipient, the intended rwip.enfs name foUowed by the employees' flies with minimal effort 

message session key. RSA-encrypted to each intended . \„ . . „„„ . . , 

tecipient using that recipient's pubUc encryption key. Thus. ,n ^ <««erto create a MCH in this format pnor to sending 

eadTintended recipient can l<Lte his ^in fte MCH '° ' '^'^o^'^- f must first obtain aU toe nec- 

header.deaypthiscoRyoflhemessaBescsstonkeyandt^d V'T'"^'^ and pubhc keys of the intended recipi- 

the mes^S. Evcn^th sevet^I intended reagents, the ^ltl*Ll'S?™ ' '!?rf'"*-f^ f^'^ 

cotrectness of the MCH is enforced on both ends of the ^J"^^^^ * ^ T 

communicaUon: on the sending end. the MCH output is ,5 """'Lf*? t i!?*'^* Seneralia dus 

enforced by .he internal logic of toe sender's .tevice. Le. the ""tT^ mformaUon available to a user who 

requirement that it create a valid MCH prior to enaypting a tZ'-'^.'^f " communication, the master escrow centers 

message: on the receiving end. die MCH co.iSS«^'is "J^ "^'"^^^^ user's sUndard form escrow 

enforced by verification by the receiver's device of die "^'^^L d^cussed earher. the umque idcnhfication or 

digitalsigJtureofthesend^'sdcvice.AspteW^^ynote^ '=<^'»^f-«'P"«>^«».fy?«>"'«^°fbo'h.f empto^^ 

because fte recipients' copies of the iSTssage key^ and any employ* sub-umts. The esaowcertffi^ 

integral to the MCH. no reorient can decrypt toe W^sage ~»»d«>«<>*«g"<^byusmgr^pubgroups.f«^^^^ 

unlets the MCH is sent aiSl reccivedSt unlike Ae »'»"^8 »f variable numbm of "commumty-of-interesr 

Oippex system in which the MCH is not itself linked to the P*""'^ Eaj± commumly-of-mterest pa^ entry would have 

keTttansport mechanism. " "'^2"' identification numba. apubbc cnctyption key and. 

II .1 xmr^ r ^ ,.^w ... ^ possibly, an instTOCtion code (OT poUcy codc. as discusscd 

Under ttus MOT fonnat^g concept, toe MCH could be below) instructing the sender's d^ic7how 1^ cac^ Z 

summanzed as shown m RG. 25^ As in previous MCH p^-, mCH cn^ TTie instructico code could include 

fonnau. the authenUaty of the MCH ^ gu«anteed by toe ^^„ts of choiceiviiMs the sending <tewL toe opSS 

diptal signature of toe sender's device 258 Fmthomore. as j^duding (1) toe pa^^nique iScation nun^ e^a 

before, toe escrowceruficate numbc« of toe sender jmd toe 30 unencrypted or u^an alii. e.g.. "empl-a:" (2) toe mes- 

reapient are encrypted und« toe public enaypton keys of i„ ^^^^ ^ -^^^ ^ ,^ 

^ rr'^^" r^rT?^ ^^TL ? ^ "-^l"* id^ntiflckion number in toe coded area or nKd 

*c scaler's devke. (4) toe timestamp or a random number at toe start oV toe 

becomes a motofied Tfa of rmpients'' *at.smorcflc«ble ^oded area or not Hese (and possibly otoer) instruction 

andMS.«to understandmrdation to the way contemporary 35 codes could be defined as Ulmaik flags The list of p«ties 

enawed electronic nuul systems work. For example, toe (and/or toeir codes), toeir pubUc enc^tion keys aK 

sender s and reapienfs names (or ^JstemTOs or addresses) i^^^^ ^ J'aie sento's devi« how to 

S;f,"?l!n^T'!r^'°'^t^^.^*^ '^*^'"i^ cc^munity-of-inten^st portions of toe S 

tois mipmges on toe anonymity of the sender and toe accord wito toe desires of each ^ for partial or total 

reap.entasapR»ct.calmattera.sd,fflculm « anonymity. It is anticipated thaTin prSe. many 

^Tjr^"" community-of-intcrest parties will not bother with 

^^tf fh^lT. ""i "^'"J^'y- it wiU be much easier for toem to search 

Hence the loss of privacy is shght In adAjoo. toe name^ of for and identify toeir employees' messages if toey keep toeir 

toe seirfer s and reapienfs employa« 255.M6 or their own names and idendtotion numbers in toe deaT 

Uluquc IDs, such as tax numbers OX DUNS numbers) arc also 45 

shown uneacxyptcd, thus greatly reducing the burden on the Decryption by Recq>ients 

cn^ioycrs* security staffs to find messages sent and received When the intended recipient receives the encrypted mes- 

by their respective employees. Alternatively, instead oi sage 191 and the MCH field 192, several things must be 

leavmg the sender, recipient and employer name blocks done in order for the recipient to read the message, as shown 

unencrypted, these entries could just as well read "sender." 30 in HG. 19. First, the recipient must load his own valid 

"addressee," "sender's employer" and "recipient's escrow certificate 193 into his chip 190 because, undtr the 

employer" (or their equivalents) unencrypted, with the prefencd embodiment of this invention, the ch^ will not 

actual identifiers inside the encrypted areas, as before. Thus, decrypt without it lypicaUy, ttie recipient's escrow ccrtifi- 

an mtcndcd recipient of the conmmnicadon would look in catc wiU akeady be stwrcd in the device's memory in a 

the MCH for his unencrypted identilying abbreviation and in 55 prc-verified state. The reajHcnt next loads the MCH 192 and 

this way will attempt to decrypt and read only the portions the sender's escrow certificate 194, which also contains the 

of the MCH that are directed to and encrypted for him. sender's device's pubUc signature verification key (with die 

In addition, this MCH format as shown in FIG. 25 allows appropriate system-wide, national or world authority califi- 

acccss by possible sub-units within the employer cate 195, if necessary) into his chip 190. The rec^ient'sch^ 

organization, by defining secondary employer lines (a, b, 60 190 checks toe sender's escrow certificate 194 in order to 

etc.). For secrecy-conscious employers, the MCH could read verily that the sender's private decryption key has been 

"sender cmpl sub-unit b" unencrypted, as discussed above, escrowed. This is done by using the public key of the 

and contain the acnjal company unit identifier in the manufacturer to verify the signature of the manufacturer on 

cnciypced area. Because each MCH entry is labeled, there is the device certificate or, if necessary, the signanire of the 

no limit on how naany layen of employer access there can 65 system-wide authority on the escrow center certificate and 

be; all of them become in some sense authorized '*rccipi- by checking whether the esaow center's signature on die 

ents" of the message. Furthermore, in contrast to previous sender's escrow certificate is valid. In the preferred 
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embodiment, the public signature key 196 of the system- 
wide authority is used to directly veriiy the escrow certifi- 
cate 195. The rcciiHcnt's chip then checks the MCH signa- 
ture before proceeding in order to verify that (1) the sending 
device is trusted. (2) the sender's key is esaowed. as also 
verified by the sender, and (3) the MCH 192 is valid, i.e. the 
MCH is in the proper format and contains all the requisite 
information. This is done by verifying the sender's device 
signature, the sender's device manufacturer* s certificate 
signature and, if necessary, the manufacturer's system-wide 
authority certificate. The manufacturer's and the system- 
wide authority's public keys could be embedded into the 
recipient's chip 190 to facilitate this verification process. In 
the simplest case, the recipient need validate the sender's 
escrow certificate 194 only once, against its own embedded 
manufacturer's public key or system-wide trusted entity 
instructions key. Once those are shown to be valid for a 
particuUr sender, the recipient needs only to use the sender's 
pre-valldated device public key to validate the MCH 
signature, resulting in only a single signature validation per 
message. If either the sender's certificate 194 or the MCH 
192 is invalid, the recipient's chip will not decrypt the 
message. Finally, after vciifying these certificates and 
signatures, the recipient confutes the message session key 
based upon the sender's intermediate number, which was 
included in the MCH, and the recipient's own private key 
(his secret number) corresponding to his public key as 
publicized in his public encryption key certificate 193. 
Using the session key, the recipient decrypts the message 
sent by the sending user. 

Decryption by Law Enfcwccment 

In order to intercq>t and deoypt communications to and 
from a particular user, law eiif<»cement must have court 
authorization or a warrant to monitor that particular user's 
communications. The court authorization will, in all 
{H'obability, include ( 1) a "start monitoring" date and tin^ at 
which law enforcement may begin to monitor the user's 
communications, (2) an "end monitoring" date and time 
after which law enforcement may not monitor the user's 
communications, and possibly (3) a grace period to follow 
the "end momtoring" date, during which grace period the 
law enforcement may retain the user's private k^ in order 
only to decrypt the previously-intercepted communications 
but not to intercept or monitor any additional communica- 
tions of ttidX user. In monitoring the communications of the 
sending user, law enforcement intercepts the communication 
and identifies from the MCH the name and country of die 
sender's master escrow center in order to determine from 
whom to request the sender's private decryption key. Law 
enforcement then presents the court authorization and the 
MCH from the intercepted communicatioo to the sender's 
master escrow center, which uses its private key to decrypt 
the sender's certificate number that was encrypted into the 
MCH. Using the sender's certificate number, the sender's 
master escrow center looks up the sending user's name and 
the names of die sender's escrow agents, and reveals them 
all to the law enforcement agent along with the sender's 
device manufacturer certificate, which law enforcement will 
need later during decoding. The law enforcement agent then 
contacts each of the sender's escrow agents and presents to 
it the sender's name and the warrant and obtains from each 
escrow agent the key splits entrusted to it by the sender. 
Because the prefmed method of intercq)ting and decrypting 
encrypted communications by law enforcement in this 
invention is by using the decoder box specified below, the 
law enforcement request to the escrow agents will also 
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include the public encryption key of the law enforcement 
decoder box. so that the key splits can be sent directly to the 
law enforcement decoder box and not to the law enforce- 
ment agents themselves. Each escrow agent sends the send- 
s er's key split in its possession to the law enforcement 
decoder box as an encrypted message having a "start moni- 
toring" date, an "stop monitoring" date and an optional 
"grace period" so that the decoder box can enforce the terms 
of the warrant The decoder box then decrypts the encrypted 
10 key split messages, combines the key ^Uts and uses die 
sender's reassembled private key to ci>tain the session key 
for the conununication, which session key was encrypted by 
the sender into the MCH as a message sent to himself. The 
decoder box can then monitor and intercept communications 
15 to and from the sender only during the monitoring period 
specified in the warrant, and can continue to decrypt those 
intercq)ted communications only until the end of the grace 
p^od specified in the warrant 
A similar procedure is used to monitor cormnunications to 
20 and from die recipient From the MCH of the intercepted 
communicatiom law enforcement identifies the name and 
country of the recipient's master escrow center and then 
presents the warrant and the MCH from the intercepted 
conununication to the recipient's master escrow center, 
25 which uses its private key to decrypt the recipient's certifi- 
cate number that was encrypted into the MCH. Using the 
recipient's certificate number, the recipient's master escrow 
center looks up the recipient's name and the names of his 
escrow agents and reveals them all to the law enforcement 
30 agent The law enforcement agent then contacts each of the 
recipient's escrow agents and presents to it the recipient's 
name and the warrant. Each escrow agent sends the key split 
entrusted to it by the recipient user to the law enforcement 
decoder box as a message encrypted to the decoder box 
35 having a "start monitoring" date, a "stop monitoring" date 
and a grace period for enforcement of the terms of the 
warrant by the decoder box. The decoder box then decrypts 
the encrypted key splits, combines them and uses the recipi- 
ent's resulting reassembled ptivaXt key, along with die 
40 sender's intermediate number, which is at the head of each 
MCH> to compute die session key for the communication. 
The decoder box can ttien monitor and intercqpt communi- 
cations to and from the recipient only during the monitoring 
period ^)ecified in the warrant and can continue to decrypt 
45 those intercepted communications only until the end of the 
grace period specified in the warrant 

In another embodiment of the present invention, the 
format for each escrow agent's encrypted key split message 
to die law enforcement decoder box might be as follows: 

50 

User's Certificate Number 
Private Key Iragment: X(i) 
Begin Monitoring Date and Time 
Stop Monitoring Date and Time 
55 Court-allowed Grace Period (days/hours) 
Date and Time (of diis key split message) 
Esaow Agent Signature 
[Escrow Agent Certificate] 

60 In this format all information except for the Certificate 
Number would be encrypted under the encryption key of the 
decoder box. Because the key s{^t messages from die 
escrow agents are encrypted for that particular decoder box, 
no other user <x decoder box can read them. Furthermore, 
63 the 'Begin Monitoring" and **Stop Monitoring" dates and 
times instruct die decoder box when to begin monitoring and 
decoding communications and when to stop monitoring; the 
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Grace Period allows the decoder box an additional, specified contauiing time limits (based upon the warrant) before or 

time period to decode any backlog of the previously inter- after which the warrant is not valid, the decoder box 200 

ccptcd communications, after which time period the decoder uses its inlcmal time clock 205 to verify that the law 

box must stop decoding and must erase the subject's private enforcement warrant is still valid. If the wairanl is not yet 

key. Thus, the decoder box can be used to dccrypc the 5 valid, tiic decoder box will not monitor or decrypt the 

monitored user's communications until the date specified in communications of the wiretapped user. If the warrant (and 

the warrant, at which time the decoder box and its embedded any applicable grace period) has expired, the wireUpped 

time clock prevent any ftjrthcr decryption. The decoder box user's private key is erased and will not be recreated again 

could also refuse to process key ^lit messages having a under that warrant by the decoder box (unless a new wairant 

Message Date and Time older than twelve (12) hours (or lo having a new time period is issued). It should be noted that 

some other specified time period) or having an Expire Date although the trusted time clock 205 is optional for a regular 

and Time that has already passed. user chip of the present invention, it is mandatory for the 

Decoder Box Implementation ^f*^ box 200 in order to allow the decoder box to enforce 

the date and tmic limits of the wirct^ warrant However, the 

In a preferred embodiment of this invention, law enforce- 15 user of the regular user chip can assist in the time limit 

raent en^)loys a special tamper-resistant decoder box fcx enforcement by maintaining the caUbration of his ch^'s 

intcrcq>ting and decrypting the communicaUons of naoni- time clodc If the user's clock is not calibrated, the MCH 

tored users under certain defined and controUcd conditions. generated by the user's device during communications wiU 

An example of a decoder box and its process flow is shown contain a nuU value in the timcstamp field In that case, the 

in HG. 20. The decoder box 200 is designed to be a trusted 20 decoder box intercepting the communication wiU be able lo 

device of a similar design within the system of trusted enforce only the Stop Monitoring Date of the warrant by 

devices of the present invention and, therefore, can enfwoe refusing to decrypt after Ae e3q)iration of the warrant and 

various conditions in order to prevent iii^>roper action by grace periods. Then, ttie decoder box cannot enforce the 

Uw enforcement agents. The decoder box 200 has a private Begin Monitoring Date because, as long as the warrant is 

device signature key embedded by the manufacturer and a 25 stiU valid, the warrant allows decrypting of aU MCHs 

manufacturer's pubUc signature key certificate 202 fct me submitted with null timcstan^) values even if they wae 

pubUc signature key that matches the device private signa- interc«^)ted prior to the warrant period Begin Monitoring 

turc key. In addition to the manufacturer's certificate 202, Date and Time. But, if die user's clock is calibrated, the law 

the decoder box may also have a certificate 203 issued by (or enforcement decoder box can and will refuse to decrypt all 

on behalf of) a law enforcement authority or corpwate 30 MCHs containing a valid and trusted rimfts tomp for a date 

security department that owns the decoder box, attesting or and time prior to the warrant Begin Monitoring Date and 

notariring the connection between the decoder box and the Time. Most preferably, the decoder box <rf the present 

law enfOTccment or security authority, and attesting that the invention wiU decrypt only communications that are reliably 

decoder box is under its sole possession and controL The tinaestamped during the wairant time periods. It is anUd- 

decoder box 200 also has the ataUty to generate a pubUc^ 35 pated that (his added immunity ftom potential abuse of 

private key pair, just like the regular user chip of tiie present warrant tinae periods by law enforcement may motivate 

invention, for encryption and decryption of administration users of die chip of this invention to maintain flicir chips in 

and control messages to the decoder box. The decoder box a cahT)ratcd state. Indeed, where the system is used to 

200 ftirthcr has the abilities to store its fxivate key securely encrypt large numbers of messages in a dau storage system, 

and to issue the corresponding public encryption key within 40 the enforcement of time periods for a later warrant or 

a certificate 201 signed by itself, with its device certificate discovery order may be highly desirable, because otherwise 

202 signed by the manufacturer attached. Having this ability naany messages outside the lawful scope of the order might 

to generate (and use) the public/privaie key pair enables die become subject to inspection, 
escrow agcnU 206 of a wirctai^cd user, i^n presentation 

by law enforcement agents to the master escrow center of a 45 EnfOTccment Auditing Features 

warrant to monitor the user's communications, to send ttie With an escrowed enoryj^on system, there is a concern 

bey splits 204 of that wiretqiped user to the decoder box that law enforcement agents might be easUy bribed in crdff 

encrypted using the decoder box's public encryption key and to obtain cryptogr^^c keys that protea data of high 

enaUes the decoder box to decrypt those key splits using its economic value. For cxanq>le, members of a well-funded 

private decryption key. However, unlike a regular user chip 50 criminal enteqxise might be able to steal a set of valuable 

of the present invention, which decrypts a message and industrial plans from a particular company, first by illegally 

returns the uiiencrypced result to the user, the decoder box tapping that coii^>any*s cotimiunications in order to obtain 

never oatputs the wiretapped user's private key to the law some message headers and escrow agent names, then by 

enforcement agents. Instead, the decoder box stores this bribing a low-paid police ofiBcial to request a warrant for a 

information securely until the cod of the Grace Period 55 drug investigation in order to obtain the con:^>any's private 

specified in the warrant and in the key split messages, at decryption key from the escrow agents, and finally by using 

which time the decoder box erases the infcvmation penna- the private decryption key to steal the plans. Because 

Dcntly. encryption is now used for secure communication between 

Accordingly, in order to perform its duties as a trusted niany computers, it is no longer acceptable for law enforce- 

device and enfcH-ce the date and time restrictions in^x>sed by 60 ment to wiretap a telecommunications system with minimal 

the wiretap authorization, the decoder box 200 must also safeguards. A much stronger s^ of safeguards is needed in 

contain a trusted, calibrated and certified date/time dock order to bring police procedures and controls up to the level 

205. The decoder box manufacturer certifies and attests to of modem corporate computer security practices and ]x^event 

the validity and the calibration of the clock 205 when die this type of situation from occurring, 

manufacturer issues a device certificate 202 with its list of 65 One such safeguard for die trusted device is an internal 

known device la-opertics. When the decoder box 200 counter for numbering each message control header, which 

receives from the escrow agents 207 the key splits 204 counter will increase sequentially after each access. The 


12/09/2003, EAST version: 1.4.1 


5.799.086 

33 r 34 

message sequence number (MSN) can be placed in each signature keys of the court that issued the warrant. Or. the 
message header encrypted so that it would not be visible to escrow agents might refer in their key split messages to the 
an outsider. This can be done by encrypting the number date and number (if any) of Ihe warrant, and the decoder box 
either (1) undCT the sender's public enayption key, along might then receive from the court the court's public cocryp- 
with the sender's copy of the message session key, (2) under 5 tion and signature keys, as well as the court's public key 
the public encryption key of the escrow agent of either the certificate that had been attached to flie original wiretap 
sender or the recipient, or (3) preferably under at least the authorization. For exan^)le, the court authorization to the 
sender, receiver, and their esaow agents, and possibly under escrow agents can be enhanced to convey the following data, 
all parties in the community of interest. However, the whidi is needed for the key split message: 
sender's escrow agent could also, as a matter of policy, elect jq 

to allow the sequence number to be displayed in the dear, on Master Escrow Center Name or ID Number 
die grounds of economy of space and the low risks of Monitored User's Certificate Number 
exposing it. It is critical to avoid duplicate numbers of "Saioc or ID Number 

message control headers, and gaps in numbering should also warrant Number (if any) 
be avoided to the extent possible. ^5 ^^te and Time of Warrant 

Another safeguard feature might be to allow the user to Begin Monitoring Date and Time 
indudc an q;)tional secret "title line" in the message control gt^p Monitoring Date and Time 
header. If a user feared illegal tapping under improper Maximum Number of Messages (optional) 
warrants, the user could encode a shOTt title, such as *T1an [Judge Signature] 
#123,** in order to alert himself and others to the contents of 20 Judge Certificate 

die message. AltemaUvely, a user could simply keep his own j^dge Certifier Certificate (e.g., court, etc.) 
log (through a mail software system) relating the device- 
assigned message sequence numbers and the user-assigned j^e escrow agents could then ^Yecertify" the court's public 
titles. In order to save space, the title line would be of length encryption and signature keys to the decoder box by having 
zero if no title was entered, as would often be the case. 25 the encrypted key split messages from the escrow agents to 
A third fffotection is to add to the signed pcrtion of the the decoder box include the following additional 
message control header a digest or hash of the message information, which must be present in each key split from 
contents in order to prevent either the user or law enforce- each escrow agent: 
ment from later clairiung that the contents of the decrypted 

message were other than as actually sent That is, for 30 Master Escrow Center Name or ID Number 

example, the user could not later substitute a harmless Monit(H^ User*s Ortlficate Number 

message for the drug deal message that had previously been Escrow Agent Name or ID Number (sending this key split 

sent, nor could corrupt law enforcement officials later sub- message) 

stitute a drug deal or harmless message for the valuable Court Name or ID Number 

industrial plans the officials were stealing. 33 Court PuUic Encryption Key 

These safeguards could be used as additional security Court Public Signature Key 
measures. First, the sender device-generated message Warrant Number (if any) 
sequence number would be used to track the message, by Date and Time of Warrant 
both sender and receiver, as well as by law enforcement and Maximum Number of Messages (optional) 
the court system. Although law enforcement access may be 40 Escrow Ag&at Signature 
difficult to effectively control, especially during the hot of [Escrow Agent Certificate] 
pursuit of criminals, and aldiough die court system may not 

always be able to carefully analyze law enforcement The decoder box thus recdves the assurance that all the key 
requests prior to issuing wiretap authorizations, diligence split messages came from the same judge and the same 
after the fact can be exerdsed in order to audit the results of 4S warrant. 

a wiretap, dther of every wiretap, of a random sample of The fact that decoder box also has the judge's public 
wiretaps, or of wiretaps that in some way appear unusual encryption and signature keys allows the judge to request 
The trusted device of the law enforcement agents, the and iccdve (in confidence) the log of all message sequence 
decoder box, is therefore modified to include a secure numbers and message title lines intercepted and decrypted 
internal log of the message sequence numbers and message 50 by the decoder box during the wiretap period, as a post- 
digests (and title lines, if any) of the messages that it has wiretap audit to safeguard against unjustified, unlawful or 
monitored and allowed to be read by law enforcement The comqyt conduct of law enforcement agents. Furdiermore. the 
dectronic authorization sent to the decoder box by the decoder box will not delete, erase, or reuse any memory 
escrow agents of a wiretapped user with that user's key splits assigned to the monitored mes sage log until the decoder box 
may also indude the public encryption and signature keys of 55 receives a squrate order from the judge or court verified 
the court that issued the warrant. The decoder box is then against the previously received public signature key, stating 
able to respond to a request to print out the log of message that the decoder box may do so. Such an order will be issued 
sequence numbers and dtle lines, possibly encrypted under dther because the court has already received from the 
the key of a suitably authorized recipient such as the court decoder box the monitored message log that it previously 
that issued the warrant 60 requested, or because the court has dedded that no audit is 

In another embodiment die decoder box will not start to needed in this instance. If the monitored message log 
decrypt the naonitored conununications until it receives a memory storage area becomes fiill, the decoder box will not 
specific court order that matches the key splits received from decrypt any more messages until the log is sent to the judge 
the escrow agents. For example, the key split messages that or court and an OTdcr signed by the court is received 
are recdvcd from the escrow agents and encrypted using the 65 allowing the decoder box to erase the monitored message 
decoder box's public encryption key can be enhanced to log. Law enforcement can continue to intercept new mes- 
indude (from eadi escrow agent) die public enayption and sages pending clearing of the monitored message log. 
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although the new messages will not be decrypted until the 
full message log has been cleared for audiL The decoder box 
will also have a feature alerting law enforcement that the 
monitored message log is nearing c^adty. so that they can 
request that the message audit log be uploaded so that the 
decoder box wilJ not cease decrypting. These transactions 
and communications may be fully automated and nearly 
instantaneous. 

Each entry in the audit log may contain, in addition to a 
digest of the message, a second digest that is the jM^oduct of 
(a) the message digest plus (b) the full text of the jnevious 
log entry concatenated together and redigcsted. This can 
prevent any dishonest couit personnel from adding, deleting 
or resequencing the entries in the log. This concept is 
discussed in U.S. Pat. Nos. 5.136,646 and 5,136,647, which 
are hereby incorporated by reference. 

As a f ollowup action, the court could later request that law 
enforcement submit the message headers and the full content 
of the message digests In the audit log that the court has 
received. Also, in its wireup authorization, the court could 
artificially limit to less than full message log capacity the 
number of monitored messages tiiat may be decrypted by the 
decoder box before the monitored message log and message 
headers must be audited. Although this type of limit would 
have no effect on the overall ability of law enforcement to 
investigate, because downloading of the log to tiie court for 
auditing is almost instantaneous, it might alert the court to 
unusual circumstances. In specific cases that require controls 
thai are stronger than merely sending die monitored mess^e 
log to the court, the court might limit law enforcement to less 
than full message log capacity b^ore law enforcement must 
seek a new warrant to monitor additional communications. 

Thus, if (1) bo&i sender and receiver keep track of the 
sequence numbers of the messages they send and receive, 
and either associate title lines in die message control heade;rs 
or log the messages in their local software systems, (2) bodi 
law enforcement and the court retain a complete log of each 
message decrypted by law enforcement, and (3) each n^s- 
sage header includes a digest of the message in order to 
prevent any party from later altoing die message to cover up 
its actions, then a aedible post-t^yping audit can determine 
whether there might have been any abuse or corrupt action 
by the law enforcement agency. Although this system still 
cannot prevent a priori, the stolen plan scenario mentioned 
above, the knowledge by the criminal enterprise that its 
actions can be fully audited by both the court and the subject 
users can provide a worthwhile check on improper police 
actions. It might also be made a matter of regulation that the 
law enforcement agency record and submit to the court all 
messages intercepted under a warrant and allow the wire- 
tapped parties to request an audit of the wiretap, particularly 
where the subject is associated with a business enterprise 
and no criminal charges are filed based upon that wiretap. 

Stream-Oriented Data 

In conuiunications involving stream-oriented data, sudh 
as a telephone call, in which each conmiunication consists of 
a stream of several message packets from two or more users, 
it is impossible for the sender device to hash and sign the 
entire message as part of the MCH. Although it might be 
possible to send a MCH with each packet of a 
communication, doing so would be very costly in terms of 
processing time and network bandwidth. Hence, the MCH 
should thus be transmitted only once, at the time of call 
setup. A preferred way to handle continuous streams oi 
encrypted data is to designate the calling user as the **sender" 
and to negotiate the MCH at the start of communication, as 
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before, including the message sequence number (MSN) and 
hash of the first packet (if any) signed by the device. Then, 
the sender's device could generate a series of unique packet 
sequence numbers (PSN). whose sequence begins with zero 

5 at the start of each conununication. For all subsequent 
packets, the device needs only to hash and sign that par- 
ticular padcet and to include (and sign) die hash. MSN 
(same for entire message) and the PSN for the packet The 
callee will perform similar actions for each packet it sends. 

jQ by referencing the caller's MSN foi the conununication. 
sequentially numbering its own packets starting widi zero, 
and having the callee device sign a group consisting of the 
packet hash, the caller^s MSN and the callee's PSN, thereby 
forming a **packet control header" (PCH), The devices might 

j3 optionally include the current time as an offset from the time 
start of die communication (in seconds or milliseconds), 
which is aheady present in previously disclosed versions of 
the MCH. This could enable the call to be replayed more 
realistically. 

20 Id order to further distinguish the caller's and callee *s 
packets after the communication, it will also be desirable to 
include a call party code (CPC) with a simple coding scheme 
assigning numbers to the parties to the communication, such 
as caller=0. callee:=l, and any additional parties to dte same 

25 encrypted session receiving higher numbers. Or, in place of 
the CPC. a unique identification number, sudi as the device 
serial number, the device serial number plus the device 
manufacturer ID number, or the hash of the fc^egoing. may 
be used. 

30 These methods could also be generalized as a method fcH* 
multi-party session key generation. For example, a caller 
could generate a session key and use that same key to initiate 
calls with several callees simultaneously using RSA key 
transport There will then be a sq>arate MCH for each added 

35 party after the first two parties (caller and callee). The 
caller's device could treat the multi-party call as separate 
calls or as a single call having the sanoe session key but 
having mult^le CPCs. Each callee would then be respon- 
sible for using the caller's MSN and for maintaining its own 

40 CPC and PSN. Altemativeiy, assuming use of conventional 
two-party session key generation n^ods (such as Diffie- 
Hellman mediods), conference calls could exist in which a 
central party (e.g., a system ogcs^tof) places all the calls and 
performs real-time decrypting and re-encrypting of each 

43 party's packets for all the others. The central party could also 
be the individual vvho patches in the next callee, in which 
case that callee's packets would be decrypted by that indi- 
vidual's device and then re-encrypted using the session 
lcey(s) that the callee is using to communicate widi the other 

50 party (or parties). See also B. Schneier, Applied 
Cryptography. J, Wley 1994, p. 276. regarding use of 
Diffie-Hellman with du^e or more parties. 

A Packet Control Header (PCH) could be f onnulated as 
follows: 

35 

Original Caller's MSN 
User CaU Party Code (CPC) (caUer^, etc.) 
User Packet Sequence Number (PSN) 
Time Offset from call setup (msec) 
60 Hash (of this packet) 
[Device Signature] 

It might be preferable not to send a PCH widi each packet 
of communication, due to resulting heavy overhead in some 
65 systems that use short packets, but rattier to send the PCH 
only periodically. This is akin to the technique known as 
"sliding windows" in network communications, in which 
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packet sequencing and retries are not perfonned for each manufacturer certificate 215. If the host device should lose 

packet but only for large numbers of packets. UsuaUy such power, be tampered with or receive an instrurtiop to deac- 

systems dynamicaUy adjust the *^vindow." or the number of tivatc itself, the timestamp device wiU cease issuing times- 

Ikets that are sent between error checks, based on line Uimps In that case, in order to avoid impamng other 

^ise. i.e. making the window large for a clear line but 5 poss bly useful functions that do ao^ as an absolute matiex 

nunc. I.e. iiwwue B require trusted timestamps. die Umestan^ device wUl utilize 

making It small for a noisy ^""^^r^'"^^^^ , convention, such Tfilling the timettamp field with a 

retnes. If errors occur often, a small window would require ^^^^ ^ binary ieros or binary 

the user to resend only a smaU amount of dau; ^ Jirors are ^^^^ equivalent convention), when a structured data 

rare, checking can be performed mfrequentiy, albeit with a ^^^^ ^ timestamp to be entered. However, when a 

high cost to resend lost daU in case of an error. Packet lO gi^uctured data field or die host device requires that an actual 

control headers could be direcUy integrated into the sUding timestan^ be issued, such as in the case of a law enforcc- 

window sdiemc of a communication system, thereby pro- decoder box, if the timestan^) device has ceased to 

viding the desired capacity to audit law enforcement actions j^g^g timestan^s, the host device functions that require 

down to the packet level, while also allowing maximum tiroestanqw will not operate; in the case of the decoder box, 

system throughput in a modern communications network. 15 the ^^st will refuse to decrypt intercepted communications. 

To further strengthen die auditability of the wiretap in order to avoid or minimize the occurrence of the situation 
process, it is advantageous to positively mark the end of a of lost host device power, each trusted timestamp device 
communications session with some special packet This should preferably be equipped with its own sq>arate long- 
packet may be sent automatically by each device to die Uved battery 216 for clock use only, some **low battery" 
others prior to disconnecting, unbeknownst to the users, in 20 warning indicator to prevent timestan^) device loss of power 
order to prevent cither the users or law enforcement agents befwe a battery change and some means of retaining an 
from later claiming that a conversation cidicr had or had not adequate electrical charge (such as a storage capacitor, a 
ended, when the opposite in fact occurred. This could be second battery compartment or an optional external power 
accompUshed by instructing each device to accept a "want supply) durmg battery change operaUons^ 
to hang up now" input from its human user, whereupon the 25 For each timestamp issued bydie ^"^^^'^^i;^ 

device would send out a prepare to disconnect" packet f^^^J''^T°^'^'^V'^T'!!^^^^^ 

, . , _L 1 * *u« A^,^^f.\ A* facturer (or anottier timc-settmg authority) stating the qual- 

which wotdd dien stimulate the ^^^^^^^ll'^^^?^ ity and reliabiUty of the timest^ doclL toe 

same. The device(s) would terminate tfieir data steams widi ^ L weU as its ejected time drift. When a 

a "final" packet containing no additional da^ Lpicnt user reaves a data stru^ Aat has been digitally 

including the totaU of all packets sent and received, caU 30 ^.^^ ^ recipient knows that, if die 

duration, etc. timestamp field is completed widi a valid value* the device 's 

Timestamp Device signature and certificate certify diat die time was correct 

r J when the data structure was created, signed and issued. This 
Another feature of diis invention in its preferred certification is based on (1) die trustworduness of the 
embodiment, as discussed above regarding die decoder box* 35 audiority that most recently cahTjrated the timestamp clocL 
is a trusted and tamper-resistant timestamp device that (2) die clock's drift tolerances as stated by the naanufacturcr 
self-certifies that it can issue (or affix) digitally signed die device certificate, and (3) die clock's ability to 
timestamps (or data structures containing such timestany>s) deactivate itself upon tan:q[>enng or a loss of power. The 
tiiat can be considered trustworthy by diird parties. Such recipient further knows diat if the timcstan^ field contains 
timcstanq) devices are described in U.S. Pat. Nos. 5,001,752 40 a "null" value, dicn die timestamp clock was not in a state 
and 5,136.643. by Addison M, Fischer. In its preferred of trusted calibralion at die time die device created, signed 
embodiment, shown in FIG. 21, die timestanq) device 210 and issued die data structure. This information concerning 
(or subsystem) can be calibrated and set into operation only die trusted properties of die timestamp device and its inter- 
by a trusted auUiOTity, such as die manufacturer or one nal clock mechanism can be preferably encoded directiy into 
trusted by toe manufacturer, in mudi toe same way diat a 45 *c device certificate using a suitable attrftutc-v^e coding 
postage meter can be set only by the local United States scheme. However, dus informaUon could also be implied 
D S^^ te^ch office aid is from dien on trusted by from die manufacturer name and device type, whidi coidd 
diepubLandtoe^stalsystemtodispense^^ ^LfSl^cS^^^^^^ 
stamps only up to the prepaid amount Once calibrated, die ^ j^^e ceScate is issued 
timestamp device 210 (cr ^^^system) wm resi«^^^ 50 ^^J^ ^ ^^^^ ^ 
Wset" instniction 211 (or recahbia^^^ only if d^ odicr^sage handUng operations beside MCH 
instruction is signed eidier by die rnanufacturo' itsdf or by ^^^^^ decoding. These timestamps could be attached 
an entity diat has attached a certificate 212 from the to die personal signature of die device's user when die user 
manufacturer, or one trusted by toe manufacturer, statmg ^^^^ anotoer document or transaction using his personal 
that die entity is trusted to set and calibrate die timestan^ 35 signature key, which is securely confined inside toe device, 
device (or subsystem) of toe host device. The time-set -j^^ device would sign or co-sign toe timestamp clement of 
instruction operation would probably need to be performed ^j^^ ysex*s signature, or might alternatively sign over toe 
in person wito the time setting autoority taking momentary user's entire signature block (which contained toe 
physical possession of toe device and immediately erasing timestamp. also signed by toe user, along with toe hash- 
toe time-set instruction 211 in order to prevent toe possibii- 60 result message digest of toe document). The device could 
ity of a device owner capturing toe instruction and replaying ^hen supply its certificate in order to make the timestan^ 
it at a latCT time in order to '"back-date" a device's clock. believable and trustworthy to a diird party who knows toe 

Once calibrated and for as long as it is undisturbed, toe manufacturer's public key. 

timestamp device 210 will affix ^f^^ complete Upgrading. Replacing and Rekcying 

timestamp data in structured data fields based upon its 65 ^luaiw v^js^ f e . 

internal clock mechanism, signing 214 toe resulting data Anotoer feature of tois invention is a tan^-resistant 

structures wito its private device key and furnishing its trusted device toat contains an embedded manufacturer's 
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public key, a protected non-volatUe mcmoiy area and a centers as described in the present invention. These embed- 

secure central processor unit (CPU) and can upgrade or ded keys, including those of the manufacturer or other 

suijdcracnt in a trusted manner any ftimwarc routines trusted third parties, can be used to verify various certificates 

embedded by the manufacturer. The trusted device docs me such as escrow certificates, device certificates, upgrade 

uj^ading or supplementmg by accepting as input a 5 certificates, time- set instniction certificates and others t^^ 

data contaimng new <^ addiuonal firmware code that is may be presented to the device for it to act upon. In addition 

suitable for that type of device and IS digitally signed with to relying only on public keys embedded during 

toe manufacture s signature, which signature assures the manufacture, the device can also accept external instructions 

device that the new firmware code has been developed, to embed new puWic keys or to replace existing ones. In 

tested and approved by the manufacturer and that order for a device to accept and store in a non-pubUc area the 

"I^i^^ ""'^^ ^""^ "^^^^y ^^^^ ^g^^ of a trusted third party, die manufac- 

embedded firmware routmes with the new firmware code or turer wiU enclose the new public key in a signed instnjcUon 

(b) add the new firmware code as one more new routines data packet (or certificate) signed by the manufacturer 

in a currently unused area of i^otectcd memory. In the instructing tfic device to discard Ac enclosing certificate and 

prefOTCd cmboduncnl. the protected mcmoiy would be of 15 store the designated pubUc instructions key within. The 

the FLA5H type, which can retain its information indefi- special packet may also instruct the device as to what types 

nitely whde powered down but can also be erased by the of transactions the new key is trusted (e.g., for use with a key 

device (albeit relatively slowly) and reused if desired. The escrow aR)Hcation, car rental application, medical dam 

protected memory could also include any data storage area abdication, or other use). Upon receiving such a public key 

(such as a disk drive). whettiCT or not tamper-resistant, in 20 data packet from the manufacturci; the device would fir^ 

whidi the code to be upgraded or supplemented could be verify the manufacturer's signature and then accept and 

stored in an enc2T>ted fonn for which the decryption key is store the new pu Wic key along with the restriction on the 

known only by die trusted device. By staring the programs public key's use 

m an device effectively prevents them The manufacturer may also designate at the time of 

deoypaon key. When die device receives such a signed during manufacture or later as part of an instructions daU 

body of new firmware (or software code, the user inputs the paekel that one of the transactions fcr whi<* that A^pa?? 

codealong with the manufacturer's signature and issues a key is approved is the replacement of the manuS^ 

T"*^ instruction to the device. The own undfflying pubUc si^atuxe verification key. Although 

^bhv.t. 'S^' "^l?/ ^ "^"^ * replaceSint of thrmanufacturer's owTpublic sj! 

pubbc ^gnaturc k^ of the manufacture, which w« embed- mature key should almost never be required, th™ is Ac 

d^m the device dimng manufacture. If tiie manufacturer's chance that the manufacturer's corre^^nding private s^- 

Z^^L^J^ naturekey(forissuingdeWcecertific^and^om^instrui 

performs the dcsmwl upgrade. ^^^^ ^ ^.^^^ ^ compromised through theft 

The process of a trusted upgrade to the firmware of a 35 Theft of the manufacturer's private signature key would 

trusted device as described above can be fiirthcr extended to allow the thief to issue seemingly valid instructions to 

^mmodate authorized third parties tfiat desire to upgrade approve new esaow centers (of dubious trustworthiness) 

firmw^ routines diat pertain to device functions relevant to and to approve new time set authwities. Altematively, and 

those third parties, including functions such as the present more likely, the manufacturer's private signanirc key might 

key escrow system, which may be largely designed and 40 simply be lost or destroyed, tiius preventing die issuance of 

ad^stered by a bank master escrow center indq)endentiy any further valid instructions. Either of these events would 

of ttie trusted device manufacturer. In an instance of third be classified as a "disaster" in conqniter systems terms and 

party upgrade, the manufacturer could sign a firmware could result in all of diat manufacturer's devices having to 

upgrade certificate containing a pubUc key of tfie third party be recaUed. However, through the present invention, the 

firmware provider and issue it to tiiattiiird party. The third 45 expense of such a recall could be prevented or mitigated by 

party could then develop, test, and aj^ove replacement or allowing a trusted third party to replace toe manufacturer's 

additional firmware routines, sign fliem with the third par- coirqwomised signaftire key. Assuming that the manufacturer 

ty's private signature key, and attach its upgrade certificate had already embedded die instructions keys of one or more 

fi-om tiie manufacturer tiiereto. Upon receiving sudi an trusted third parties into the device, cither during manufac- 

upgrade, the user would load both the signed code routines 50 ture or later using an instructions data packet, and had 

and tile manufacturer's upgrade certificate into the device included the replacement of its own pubUc key among tfie 

and tiicn issue a '^process third party firmware i5)grade'' transactions that the third party's pubUc instructions key 

instruction. TTie device would then vaify the tfiird party's could apjHOve, the manufacturer could then turn to Uiat 

signature on die new code routines against the manufactur- trusted third party and request that it issue an instruction dato 

er's upgrade certificate and tfien verify the upgrade ccrtifi- 55 packet to aU of the manufecturcr's devices authorizing the 

cate against die manufacturer's public signature key diat was replacement of die manufacturer's public signature key, tiius 

embedded in the device during manufacture. If botfi signa- saving itself and its users die potentially huge expense of 

hires verify, tiie upgrade is accepted and the device performs physically replacing all the physical devices. Because aU die 

the desired upgrade. device certificates issued by tiiat manufacturer would also 

In addition to accepting instructions to upgrade or supple- 60 have to be replaced, this could be accomplished by having 

ment device firmware routines, a tamper-resistant trusted each device issue a certificate request for tiie device's own 

device can also accept instructions to replace or supplement public device signature key. If the manufactoirer's private 

•Instructions" public keys dial were embedded during manu- key was lost destroyed, and not compromised, then all 

facture. As discussed earlier, a trusted device may have previous signatures would stOI be valid and a user would 

public keys besides ttiose oi tiie manufacturer embedded 65 need only to present his old device certificate in order to 

during manufacture of the device. Such 'Instructions" public have a new device certificate issued for die same informa- 

keys might include diose of one or more master escrow tion signed by the manufacturer's new signature key. The 
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manufacturer would then return new device certificates issues a signed instruction 231 to the device 230, including 

(most Ukcly via an on-line or an electronic-mail transaction). (1) the device's serial number 232. the unique owner iden- 

Whilc this would still be expensive, it would be far cheaper tification number 233. (2) the names of the escrow agents 

and less detrimental to the reputation of the manufacturer 235 and the master escrow center 234. (3) the date and time 

than the wholesale physical replacement of aU of that 5 of the rekey instruction, (4) the date and time of the rekey 

manufacturer's trusted devices in the field, iDstruction expiration 23< and (5) the rekey mstruction 

The incoiporation into the trusted device of the present unique serial number 237. and signs the instrucUon usmg tiie 

inventionofamechanismtoreplaccamanufacturer^spubUc employer's pnvate signaUire key 238 Upon receip^ of a 

key or any other trusted pubUc instructions key could vahd owner's certificate 239 and a vaUd rekey mstniction 

midgatc some of the systemic security risks that are posed lo 231. chip within the trust^l device 230 first verifies the 

by L use of system-wide root pubUc keys. TOs would manufarturcx s signature on the owner s certificate 239 and 

allow greater reliance upon purely hierarchical trust models, the employer's signature on the rekey instrucUon 231. The 

which generally allow shorter and simpler certification paths ^^^tcd device then cornpktes the key generaUon and esaow 

requiring fewer certificates, less effort to detennine which Proccss. as before including the owner s unique identifica- 

catificafes to utilize and less computational time to verify 15 tion number 233 within eadi escrow share packet and sends 

the sicnatures packets only to the escrow agents 235 designated 

^ ■ by Ae einployer in the rekey instruction 231. Subsequent 

Owner-Contrc^ed Rekeying replay of these instructions (which may be issued 

As previously described, the user also has the option of electronically) can be limited by designing tiie device so thai 

rekeying his device as to its user encryption key pair at any 20 ^e device retains in non-volatile storage the serial numbers 

time after manufacture. The user does this by issuing a of the last several rekey instructions it received and refuses 

firmware instruction to the trusted device to perform the to execute the instructions again. Assuttiing the device's 

particular steps of the key escrow meUiod, ie. to generate a time dock is maintained in good order, subsequent replay of 

new private and public encryption key pair, send the key the rekey instructions can also be limited naerely by instruct- 

splits to the escrow agents and ultimately receive a new 23 ing the device's time clock to honor the expiration date and 

escrow certificate from the master escrow center. However, time in the instruction. In a jMefcrred embodiment, a device 

it is also desirable to permit a usa's employer or sponsor (or whose clock is uncalibrated would refuse to process a rekey 

owner, iftheusa is anodicr device or process) to control tiie instruction that has a non-null eviration datertime but 

key and rekey processes in order (a) to make sure that the would proceed if the expiration date/time were left null, 

user selects escrow agents that the employer deems accept- 30 Upon receiving from a user device the key (or rekey) split 

able and (b) to assure that the en4)loyer, as the true owner share packets containing a unique owner identification 

of the device, will remain known to those selected escrow number, the escrow agents and master escrow center would 

agents and hence wiU be able to request the user's key ^lits record diat unique identification number in their respective 

fi-om the escrow agents without having to first obtain a databases and would subsequentiy boncx* requests from that 

warrant or court order. The eii^)loyer may require access to 35 owner for access to the private encryption key. In a preferred 

a particular device's keys for any number of reasons, such embodiinent, the escrow agents and escrow center would 

as to conduct internal surveillance or to recover encrypted each require that a key split share packet that designates a 

proprietary data after the relevant device has been lost, unique owner identification number must also be accompa- 

stolen or destroyed. The employer may also need to rekey nied by the respective device owner certificate signed by the 

the device for any of a number of reasons, such as fcff a 40 manufacturer. This device owner certificate would allow the 

device whose previous encryption signature keys have esaow agents and the master escrow center to act upon key 

been conqjromised or erased, for a device that has been request messages signed with the owner's private signature 

given to a diff^ent employee, or for a device whose owner- key concsponding to the owner's public key in the device 

organization rekey s all cryptographic devices at periodic owner's cotificate. 

intervals as a matter of policy. 45 In another embodiment, tiie trusted device can be allowed 

In the preferred embodiment, die trusted device is pre-srt to accept rekey, recscrow, ownership transfer or other 

by the manufacturer such that it will not initiate the key instructions from the device owner without having to use a 

generation and escrow process unless the device first separate device owner's certificate. The requirement of 

receives an owner's certificate for the device 220, such as having to use a separate owner's certificate for instructions 

one shown in FIG. 22, containing the particular device's so to the device is an administrative burden, because the owner 

permanent serial number 221 and signed 225 by the manu- must maintain a database of certificates for all its owned 

facturer. The owner's certificate 220. issued at the time devices and locate the appropriate certificate each time it 

purchase by the manufacturer to the corporate purchaser of wants to rekey a device or send the device some other 

the device, also contains the corporation's name 222, the instructions. A better £^roach, as shown in FIG. 26. is to 

corporation's uiuque identification number 223 (such as 55 have the manufacturer issue the owner a single certificate for 

Internal Revenue Service En^loyer Identification Number the owner's public instructions key for a given family of 

(EIN) or Dun & Bradstrect Nuniber (DUNS)) and tiie devices, let the seller install its public instructions vcrifica- 

corporation's public signature verification key 224, which tion key 261 inside the device 260 when the device 260 is 

corresponds to the private signature key retained by die sold, and then institute a system based on the internal storage 

coiporation and which will be used to verify rekey or other 60 of those keys. Upon initial sale of the device by its manu- 

instructions issued by the corporation to the device. Subse- facturer to an owner, the device 260 will first verify the 

quent to receiving tills information, the device will respond validity of the owner's manufacturer certificate 262 using 

only to rekey or other instructions that are signed using the the manufacturer's public instructions key 263 that was 

corporate owner's private signature key corresponding to the embedded within the device by the manufacturer. If the 

public key contained in the device's owner's certificate. 65 owner public instructions key area 264 within the device is 

Referring now to FIG. 23. when the employer (the owner blank, the device will cc^y the owner's public instructions 

of the device) desires to rekey the device 230. the employer key 261 from the owner's manufacturer certificate 262 into 
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the owner public instrucUoas key area 264 of the device. If a manufacturer's certificate 242 for the coiresponding pubLc 
an owner public instructions key already exists in the device signature key. It also contains secure copies of the manu- 
and is different from that of the owner attempting to initial- facturcr's and systerawide (or global) authority's (SWA) 
izc the device, the device assumes that the manufacturer has public keys, which could be the same, and secure system- 
sold the device lo another entity. Because each device will 5 level firmware that can support the remote installation of 
have at most one primaiy owner, ownership of that device additional application-level firmware and related public 
wUl be dctcrraincd by the presence or absence of an owner's ^y^- discussed elsewhere in this disclosure. The device 
public instructions key 261 inside the device 260, in lieu of register with any one of a potentially unlimited 
(or in addition to) the prior concept of an owner's certificate. number of TTPs 241 that arc admitted into this general 
If no owner public instructions key is installed, the device lo registration system by having been issued a certificate of 
is considered to be a single^ser consumer device that is authority 243 signed by the SWA (the SWA could also 
unrestricted with regard to rekcying or ownership transfer of ^Vpoiat an additional tier of certifiers to authorize TTPs to 
the device; as such, the device wiU consider the non- ^. a^"«* system, in accord with well known 
existence of ao installed owner's key as a signal to obey the principles of pubUc key certification hierarchies). Once 
user's instructions without invoking the rekcy. recscrow and 15 "^^^ "^^^ registered their devices with a given TTP, they 
ownership transfer rules discussed above. If an owner public f^" engage in specialized transactions with other trad- 
instnictions key 271 has been installed within the trusted partners. 

device 270, as shown in FIG. 27, then user rekey, re-escrow ^ fffocess, the user initiates a request 

and ownership transfer instructions 272 will not be pro- 244 to register his device 240 with a given certificdTTP 241. 

cessed unless those instructions are signed 273 by the 20 request 244 contains some infonnation 245 to identify 

cocrespoading owner private signature key 274. Once die ^ ^ nature of the registration request and is 

owner's signature 273 has been verified, the trusted device signed by the device and accompanied by the manufactur- 

270 performs the steps of the re-escrow procedure, as cr's device certificate 242 to order to vouch for the signature 

described pffcviously. Thus, the owner need not append an known type of the device. The selectedTrP241 may 

owner's certificate proving his ownership of a given num- 25 ^so request other infonnation and assurances fi"om cither 

bercd device when tostructing that device. However, the ^ parties to verily the user's identity, 

owner's signed instructions must of course be limited to a affiliation, creditworthiness, etc., which are outside the 

numbered device or perhaps to some class of devices whose ^ jffotocol but may influence the TTP's decision 

device numbers confonn to a given rule or tcn^>late, in order 8Tant or d eny th e desired authorization to perform trans- 

to prevent the instructions fi-om being fed into every device ^ actions. The TTP 241, using the appropriate public keys, 

owned by that owner. verifies the manufacturer's signature on the device certifi- 

In addition, as shown to FIG. 28, the owner can send an signature on the information 245 in 
tostruction to transfer device ownership by replacing the r^stradon request 245. 
origtoally-mstalled owner public instructions verification When satisfied that the user can be permitted to engage to 
key with another (from the buyer, the new own«- of the the requested class c£ transactions, the TTP 241 tficn issues 
device). The device owner sends an ownership transfer ^ response 246 containtog a certificate 247 specifically 
tostruction 282 to the device 280, includmg the new owner's authorizmg the device to perform those transactions on 
name and public tostructions verification key, signed ustog behalf of the user. The TTP's device authorization certificate 
the current owner's private tostructions signature key 283. typically contato inf<Hmation idcntiiytog the TTP, 
The device verifies the ownership transfer instruction 282 ^ "f^' user's device, and the transactions for which 
ustog the current owner's public instructions key 281, permission is granted, as well as a recertified copy of the 
replaces that key with the new owner's public instructions device public signature key as a matter of convc- 
key 284 and thereafter responds to instructions only from the nience (and as later discussed) so that the user need not 
new owner. In addition, the owner could also add another submit his device certificate 242 to each subsequent trans- 
"secondaiy owner" by tostalltog a second public instructions action with trading partners. The TTP response 246 may also 
key. This second public instructions verification key would contain downloadable firmware and or public keys 248 to be 
have a *Vights" field, todicattog for which operations it is loaded toto the user's trusted device to enable it to perform 
authorized to accept instructions. Among those rights might ^® authorized d:ansactions. Where the TTP response 246 
be: rekcy, addition of another owner, deletion of an owner *^ ^ securely load new firmware or public 
(same as a conditional sale), deletion of all owners, and 50 keys into his device, the response 246 will also include die 
reverttog back to a consumer device havtog no stated owner. TTP's certificate of authority 243 issued by the SWA ceiti- 
Howcvcr, these defined rights may mclude more or fewer ^ TTP's public signature key and conveytog firm- 
rights ttian, or the same amount <rf rights as, the origtoal cr P^^^^ t^Pgrade authority. When the user's 
primary instructions verification key, todudtog the right to ^msted device 240 receives the TTP's response 246, it uses 
replace or remove the primary owner instructions key. ^5 its embedded SWA public signature key to verily the TTP's 
. certificate d authority 243 and uses the TTP public signature 
Gencrahzcd Device Registration key contatoed thereto to verify the firmware and public key 

Note that the foregotog general methods for escrowtog a upgrades 248 and the TTP's device authorization certificate 

private decryption key and receiving an escrow certificate 247. 

can also be aR>lied to the more general case of registering 60 Referring again to FIG. 24, when the user wishes to 

a trusted device with a trusted third party and recdvtog an perform a transaction witfi a tradtog partna 250, its device 

authorization ftxDm dial third party enabling the device to will formulate the transaction data 249 to accord with the 

oonomunicatc with other tmsted devices, not necessarily rules embodied to die firmware program tostalled on the 

liinited to scope or purpose to the key escrow sittiation. In device (either at time erf manufacture or upon subsequent 

tfiis general process, depicted to FIG. 24, a progranunablc 65 downloadtog). as has been extensively discussed throughout 

^ste d dev ice 240 that conununicatcs witfi a trusted third this disclosure, and will sign the transaction 249 and attach 

party (TTP) 241 is equipped with a private signature key and a certificate for its ccrresponding public key. This certificate 
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could be the raanufactiner's device ceitiflcate 242 but will in the key split messages to escrow ageols. It would be 

more likely be the TTP's device authorization certificate desirable for an investigator atten:q)ting to deciypt commu- 

247 which contains a copy of the device public key recer- nications to be able to determine by looking at a MCH 

tified for convenience. Hie trading partner 2S0 wiU typically containing the owner identilication number whether one or 

utilize the pubUc key of the TTP to verify the TTP's s both of the dewces mvolved in the conmiunication from 

signatureon'^^tsdeviceauthoriEaUo«certificate247andthen which the MCH was 5^=° •^i-S^/th^r^ S 

L J . t_.* • * I ^*^:^^A However, other pnvacy interests. iDcLuding those oi certain 

use the device pubLc ^gnature Jcey ^^^^t^^'^^'^ owners, ikight sugge7that the owner identification number 

ven^y the device s signature on tfie transacUon 249. tha^eby ^ ^^^^ ^ ^^^^^ 

confirming the device s con^Uance with the transacuon communications. In cases in which the owner identification 

protocol requirements imposed by the relevant firmware. In lo umnb^r j^cludcd only in the device csctow certificate and 

the event that the trading partner 250 docs not already have ^ ^ ^q^^ communications, an investigator, hired 

the specific TTP's pubUc signature verification key, the user ^ particular en^jloyer in an attempt to determine whether 

can include io his transaction 249 the TTP*s SWA cotificate ^ particular communication originated from eir^loyocs of 

of authaity 243. which the trading partner can verify using ^hat employer, conftonlcd with many MCHs that have no 

the SWA public key, which it must already possess in order 13 \is{cd device owners, would inquire of a master escrow 

to be a participant in this systenL center listed in a given MCH whether that MCH originated 

The generalized process thus far described is general from a device owned by the employer. The mastw escrow 

enough to allow (a) the escrowing of a private encryption center would decrypt the certificate number of the party to 

bey in return for an esaow certificate signed by an escrow the MCH communication whose keys are esaowed with tiiat 
center OTP), where the information contained or inq)lied in 20 master esaow center and check whether that user ccitifi^^ 

the user device certificate conveys to the esaow center that was issued to the investigator s employa. If so, and if the 

the device is already equipped ^th firmware tiiat is capable investigator's reque^ is signed ^^^g.^^^^^lJ^^^^y^J:^^^^^ 

i. " w / ^ ^ . f ^. * uL-*:« signature key (te.. the mvestigatcn- has authonzation from 

of paforming the specialized funcUons of Ae herem- ^ ,^ to investigate), the master escrow cen- 
described key esaow ^'^^^^ ^l^^^J^^J.^^ ^ ,er w«Sd«veal this informatSn. If the investigator has no 
device IS not so equipped tat is capabk of b«<>«^8 ^ authorization, the investigator would then be required to 

equipped.thedowdoadmgofas««reso^^^ ^ • ^^^^ investigate sUspidous 

upon installation wdl enable ^^^^^ ^f" *^.^«=^!^ activity reflected in MCHs of unknown dev.^ own«. It is 

system traiwaouonal requnments. The transaction date 249 ^ ^ 

sem to the tradmg partner M» «n be an Moyp^^^^ opcnirnamed in thdi user's escrow certificates and MCHs. 

prefixed by a m«sagc control header and acooinpamed by » ^ communications systems it is 

^"'^^w.?*'^'^'"" S^^^ Tsupptcss the physical and loglL network 

by a TIT 241 (the master escrow center). Xssinformati^oftenZnglyideDtiflS the sending 

The genexahzed system of HG. 24 therefore possesses ^ceiving institution of a given message. Thus. UtUe is 

many highly desirable properties which can fadbtale com- j^st by pubUdzing the unique owner identification numbers, 

plex fonns of business and government transactions in open ^ providing the ability to quickly sift 

communication network environments. In particular, there ^ messages by sender device owner and recipient 

can be many different device manufacturers, as long as each device owner names. 

paiUcipating device is able to exeaite sea« mnlti-S^ identification number may. however. 

t«nsacuons.downloadfirmwaretopaf«ma^^^ still be included within the employee's escrow certificate or 

of secure "nutti-stqp «'»^«";-J^.^'^^^^«."! within the MCHs of comn^cations without being pubU- 

so created. /Uso. there can be any number of ttusted tturd employee's esaow certificate and MCHs would 

parties, ead, issuing a deferent type of transacuonal au*o- ^ ^ J ^.^ 

nzauon and each creating and certrfymga^erent class ctf ^Ubci abovllti^ keys would'normaUy 

finnware apphcaUon such as key escrow, d^ ca^ ^ in both the sender's and iecipienfs escrow 

management, air rental or «ser medu^ recor^manage- ^ and recipient have 

ment Thus, although a tradmg partner may be re^ed^y , j.^^hen the sender's device forms the MCH. ii 

the us«r device's firmware and protocols) to utilize a com- ' ^ j^t^ ^CH one or boft employer unique 

c^^^usen^i^us^.^.^^^^ » S's^^ttsL^a^rKaT^^^ 
accepted jind processed m accord jwA own« a message consisting of that respective employer- 
long as die iMrtner posse«es a copy f^L pubLc J 10^,31 '^jtcandeoypt. This method 
signature venfica^on key 247. which enables aUvenions cf that discussed above regarding (he sender's use 
the devic« and their p^aj^ to recogm^ ofTMCH to send the certificat'e nuil^s of both the 
worktogedi^tfsocertifiedbytheSWAM^^^^ sender and recipient encrypted under the public encryption 
examples of busmess purposes "^f t^'^^^^^f keys of their respectiveVscrow centers, and to send the 
protocol include systems that enforce transachonal re^^^^ J ^ ^ 
ments for (a encoTAion usmg provaUy esaowed fc^ys^^ 8 ^^^P-^ ^ 

management of digital '^'^^J^^''^.^^J'°^^^ of both parties. TOs technique allows the employer to 

high-value documeMs^d (c) access to and use of medical « 4^^ ^ ei^loyees. 

<x other nersonal infCHmation or the user. ... ... . . l- ^ . , . 

ui uuiw pwsviw* uu«iiiiauw« v avoiding a situation in which all messages belongmg 

Unique Owner Identification Number to the owncr-en^loycr's employees are readily identiiiable 

Depending on the need to balance ease of use with jffivacy in the message traffic flow and in which owna ID numbers 

rights, the unique owner identification number may also 63 are unencrypted and readily obtainable. 

optionally appear in either (a) the user's esaow certificate or Still, this approach has the drawback that tiie unique 

(b) MCHs issued during normal communications, as well as employer identification number encrypted using the 
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employer public encryption key will always produce the the clear, i.e. unencrypted, as discussed earlier, providing 
same, and thus recognizable, value. A better iin)lenientation that these parties have no objections to being openly named 
of this apiMoach would be to encrypt a data block containing and routinely identifiable on every message. This infomia- 
a current timestarap (or another random number) along with tion can also be omitted whenever a party is irrelevant, for 
the employee s escrow certificate number (which the 5 example when a user has no employer. The simplistic 
employe clearly has Ae right to know) under the employ- approach would be to use one MCH fonnat for all situations, 
er s pubUc key. so that the timestamp would give high leaving fields blank when inapplicable. Otherwise, the pre- 
vanabiLty to the encrypted data block. Several bytes of a fared embodiment would be to utilize various different 
distinct cyecatcher text, such as "EMPL" (or possibly the mCH formats within the same system, each fonnat being 
en^loyer s unique ID. space permitting) could also be ,0 identified by a unique version number in the first field, sud 
mcluded msidc the encrypted block in order to make sue- that each device processing a MCH would be able to 
oessftil decrypuon obvious to an enuty that is decrypting the determine which fields to expect and parse the MCH accord- 
field (in case the other data items are in binary, in which case ^giy. This method would allow for an indefinite nesting of 
one might not know for sure). In this case, prorf of the interested patties in die MCH. which would be ttie most 
en^loyers ownerdup consists of the enployer merely ,5 flexible possible system. The canmutational overhead would 
being able to read this field In addition, yet anottia random depend mainly on how many of those fields actually had to 
nuinbff could be added to the data block for inaeased be enaypted under each respective party's public enoyption 
variability, in case the timestamp is not sufBdenlly trusted to key. r / r- ji~ 
be different each time and to therefore make all enmlover 1 ■ ■■ . ^ . ^ . . 

MCH data blocks unique. ^ i.t^'^I^^V^^ "^'''''^■^^ "^^^'^t'' 

. . ut... .^L. 20 IS indudcd in the MCH by accoim)anying each entry with a 

.^.^^ft^l^^'l!'^'^^'^'^ '^^'^J'' fi^KJ'^ ^ ^ Jtructir^r contaiiTg code 

15 . M '^'^S^'? instructing the employer's device as to what informiion to 

m^sage that is sent would mate it possible for employer. i^^lude in the MCH. As before, the instructions code could 

and other sponsors to determine which communications include elements of choice giving the employer options of 

were generated or received^ t^ without 25 including the foUowing information: (iTthe einployex's 

havmg to submit the encrypted MCH for ev^ commum^ ^ame and unique identification number, either enoypt^d or 

caUoD to itoe apr^oimate c^ow center for a determmaUon ^^mg an aUas; (2) the wotd "employer^ unencrypted, with 

as to whether or not any of those commumcati«^ employer's unique identification number encrypted 

firom a device owned by that employer thus probably saving i^,^^ ^ mCH field; (3) the user certificate number ii an 

LTlf^^^JT''''' ?f wiU still 30 cnaypted field; (4) the message session key in an encrypted 

' "^f".^^^ T"" ficld;(5)atimestampinanenayptedfield;and(6)arai;dom 

agents^ as before, m order to obtom ite en,>loyee's private confounder number within any of the other encrypted fields, 

enoypuon key. and must prove that it is in fact the owner of Many of these options can be in effect simultaicously. In 

the employee s device by signing Us requests with the addition, these policy options would be the same fci aU 

pnyate signamre key toat matches the public signature 35 member, of the comiiu3ty of interest, including the parties 

verificabon key conuined in its owner certificate as issued to the cotmnunication themselves, tticreby ^owiig the 

by the device manufarturer At least the ^nployers wiU be j^es to be labeled by their mail or systein IDs or shnply 

spared the time, effort expense of any additional by using the word "sender^ or ^teceiver- in the relevant 

requests to those parUes regardmg the MCHs of commum- j^CH fields, 

cations originating from what later turn out to be non-owned 40 

devices. And, as before, if an eiiq)loyer suspects criminal cr Multiple Simultaneous Escrowed Keys 

other improper activity in messages accoii4>amed by MCHs in addition to the above-described features for upgrading 

firom communications by non-owned devices, the employa device firmware routines and for rqjlacing manufacturer's 

can always contact an appr<^iriate law enforcement agency, pubUc keys, the trusted device of the present invention 

teU that agency why it su^>ccts criminal activity and have 45 should also have the ability to maintain and manage several 

that agency go to court to obtain a warrant for interception sets of escrowed encryption keys simultaneously. Normally, 

and/or decoding of those communications, which appear to when the device begins the cyde of rekeying, Le., generat- 

be (Higinated by third party non-en^5loyee criminals or, ing and cscrowing a new private decryption key, and as a 

more likely, by individuals on die en4)loycr*s premises, result receives an esaow certificate for die ooaresponding 

whether employees or not, who arc using encryption devices 50 new public encryption key, die device will erase tiie previous 

not owned by and registered to the employer. private key in order to force reliance of the device on the 

This method of placing information in the MCH newly escrowed private key. Alternatively, the device could 

encrypted so that the information can be read only by the retain the previous private key for only a short time as 

party entitled to read it can obviously be extended to parties needed, e.g. for the time needed to recover data encrypted 

in addition to the sender and recipient (each of whom can 55 into data storage using the previ<ws private encryption key. 

decrypt the message session key), each party's master However, in an alternate embodiment, the device may also 

escrow center (each of which can decrypt its respective accept and process a re-escrow instruction, either fi*om the 

user's certificate number), and eadi party's employer-owner user or from Ae device owner as described above, to create 

(each of whom can decrypt its employee's certificate num- a second valid escrow certificate concerning the same 

bcr or its own unique owner identification number, so as to 60 private/public encryption key pair. In this embodiment, the 

ascertain whether it owns the coimnunicating device without device would proceed with the escrow process using quite 

having to contact anyone else, while avoiding being idcn- possibly a different list of escrow agents and a different 

tificd on every message). This can also be extended to other master escrow center, and would receive a different, equally 

parties such as divisions within a very large company or, for valid escrow certificate for the same public/private encryp- 

cxan:^)le, local law enforcement in certain foreign nations 65 tion key pair that is signed and issued by the second master 

that have no warrant requirements. Of course, all the infor- esaow center and can be used interdiangeably with the first 

mation encrypted under these keys could also be shown in esaow certificate. This second public encryption key cer- 
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tificate can be of use in cases in which the device's user communications. A "private" master escrow center or 
iravds internationally or corresponds with parties located in escrow agent includes those single-company or single- 
other countries, espcdaUy when those other nations may country key centers that have installed key escrow system 
desire to conduct Uwful surveillance of communications technology for their own use but do not undertake any 
ca-iginaUng or terminating in that other nation. In such cases, 5 commitment to a public level of service. The certificate from 
by re-escrowing the same device key in another nation, the the SWA to the master escrow center or escrow agent wiU 
user (or the user's employer) could help to satisfy possible also include a country code. Then» each user's esaow 
legal requirements in that other naUon, while still aUowlng certificate that is issued and signed by a master escrow 
the user or employer the convenience of doing business wife center and has the master escrow center SWA certificate 
the original set of escrow agents in his own nation (lawful lO attached will also carry the user's country code. Note that, 
ownermonitoring.rccovery of lost key, etc.). Then, in order as a matter of convenience, the user's escrow certificate 
to allow the owner to track its employees' MCHs. it may be should also state that it originates from cither a pubUc ot 
enough if the sender and recipient owner IDs appeared in non-public escrow agent al&ough it may not be possible for 
each MCH. thus telling the owner that it does indeed have the SWA to enforce the correctness of that information. This 
the abiUty to obtain the key. To save time and effort, the 13 could allow the device to enforce these rules even more 
owner may then send such an MCH to the foreign master easily than always requiring the master escrow center's 
escrow center to obtain the foreign escrow certificate SWA certificate. 

number, the underlying device number and the underlying FIGS. 29 and 30 show the enforcement of the escrow 

device certificate, but then apply to its domestic escrow requirement when sending and receiving international cryp- 

agents who can verify the owner's certificate already in their 20 tographic communications. As shown in FIG. 29, the trusted 

possession and release the actual ptiv&Xc key splits. This device 290 of the sender enforces this system by requiring 

procedure relieves the device owner of any extra legal the escrow certificates 291,293 of both the sender and the 

formalities that might be required in order to obtain the recipient, and, if the sender and recifnent are not escrowed 

actual key splits from the foreign escrow agents. with the same master escrow center, their master escrow 

VT • 1 c c ^ c f ^ .^A. ^ center SWA certificates 292,294, prior to sending an inter- 

National Security Export Safeguards ^^^^^ communication. The country codes 295.296 of the 

The current policy of the United States government is to recipient user and its master escrow center must match in 

allow unregulated use of encryption within the United States Qf^ler for a sending device 290 to send a communication, 

by American citizens but to impose heavy restrictions and Furthermore, if the sender and recipient are in different 

penalties for the expwt of encryption devices, software or 30 countries 295.297 and if eitha: user is using a non-public 

know-how. It is possible to modify the present system to master escrow center 298.299, die sending device will refuse 

allow relatively free private use of cryptographic devices in iq originate a communication to that recipient As shown in 

the United States while simultaneously in^x>sing restrictions piQ, 30, tjic recipient trusted device 300 will also enforce 

on their international use. Such a system could allow sepa- ^ system by refusing to decrypt a communication, if oae 
rate inter-operable **policy domains'* that arc open to all 35 issomchoworiginated,in which the sender and redpient are 

software and hardware vendors with minimal or no design different countries and if cither user is using a non-public 

changes to the standard message formats used througjiout master escrow center. These rules will effectuate the desired 

the system. It is further desirable to allow the use of private policy of disallowing uncscrowcd international crypto- 

escrow agents in purely intra-corporate, single country gr{^>hic communications, because the master escrow center 
situations, in which the key escrow system is being used 40 cannot falsify its public status, which is certified by the 

solely to allow a particular corporation to noonitor and SWA.and,evenif the master escrow center could falsify the 

control its own employees* uses of encryption, widiout any user's country code (to make the user ^>pear to belong in a 

obligation, express or implied, to facilitate law enforcement foreign domain), the devices will not allow a discrepancy 

access to communications that have been encrypted using between the user's and the master escrow center's country 
keys the corporation has escrowed. In particular, such com- 45 codes. Although these rules do not prevent a user from 

panics might buy the software and hardware for their own impcoperly transporting his trusted encryption device across 

use but might decline to assume any public duty to provide national boundaries, they do allow easy conq>lianoe with 

access to private keys in short time fratxies, as might be national requirenoents by permitting him to m a in ta in an 

desired by law enforcement in hot pursuit of criminals or escrowed key in eadx nation and to conmuinicatc using only 

terrorists. 50 proper key in each policy domain. 

This can be done by first assuming that all devices Multi-User Device Versions 

throughout the system are linked direcUy or indirectly to a MulU-User Uevice versions 

system-wide authority (SWA) that (as previously disclosed) Another feature of this invention is die abiUty to mitiate 

issues certificates to escrow agents, master escrow centers and simultaneously manage several different sessions of 
and device manufacturers in order to enable each to be 55 communications with different local or remote users using 

recognized by devices widiin the system as being authentic the same device. Many larger computers suppOTt nmltiple 

and trustworthy. A national or global conununications sys- users who arc often simultaneously logged on via terminal 

tem must for practical purposes support tht existence of sessions but who may wish to initiate encrypted sessions 

multiple and unrelated master escrow centers and agents, with other entities around the worid. However, because it 
eadi of which must be certified by the SWA as being 60 would be highly inefficient to require a separate trusted 

authentic. In each certificate issued to a master escrow center device for each user session on a shared computer, the 

or to an escrow agent, the SWA will designate it as either trusted device could track the message session key for each 

**public" or ''private.'' A "public" master escrow center or communication by storing it along with a unique message 

escrow agent is one that is equipped and committed to sequence number (MSN) for that session. Then, when any 
respond promptly to national security or law enforcement 65 additional message packets bearing that MSN arrive, they 

warrants and subpoenas. Users whose keys arc escrowed could be decrypted, and responses encrypted, without delay, 

witti such agents may be permitted to engage in transborder Furthermore, the device could esaow the private decryption 
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keys of several users while Unking each user private key 2. A method as in claim 1 wherein said authorization 

with a particular user unique identification number and transmitting step includes the stq> of transmitting said niles 

allowmgeachkeytobeusedonlyonprcsentaUonofsomc from said third party to said trusted device, 

suitable ustx authentication, such as a password, smart card. 3. ^ method as in daim 1 wherein said tnisted device 

public/private key pair as it is generated for escrow, the T . ^. . 

usual controls on passwords, such as length. cxpiraUon, retry ^' '^ as in claim 1 wherein said auth<TOation 
lockouts and case of guessing, could tfien l>e imposed by the ^^nsmituog step includes the step of appending a digital 
device in order to limit the possibility of unauthorized lo ^^S"**"^ ^ said certificaUon. 
access. ^- ^ niethod as in claim 1 wherein said request transmit- 
Thus, a cryptographic system and method wife key ^.5 f.^ transmitting certification of 
csaow feature is provided. One skiUcd in the ait wiU digitaUy signed by a 
predate that the present invention can be practiced by "^"facturcr of said trusted device, 
other than the described embodiments, which are presented »5 ^' ^ method as in claim 1 wherein said determining step 
for purposes of iUustration and not limitation, and the jndudes the step of determining whether said trusted device 
I^esent invention is limited only by die claims that follow. tampcr-resistant based upon said identity of said trusted 
What is claimed is: device. 

1. A method of authorizing a trusted device to conduct an 7' ^ method as in claim 1 wherein said trusted device has 

electronic transaction between a first user and a second ^ associated with it a public key and a private key of an 

party, and providing assurance that said trusted device will asymmetric ciyptosystem and said request transmitting step 

engage in said electronic transaction in accordance with indudes the step of transmitting said device public key to 

predetermined rules whidi cannot be changed by said user, said third party. 

said method conqjrising: 8. a mediod as in claim 1 wherein said tnisted device has 

electronically transmitting from said trusted device to a ^ assodated with it a first key and a second key of an 

third party a request for authorization to engage in said asymmetric cryptosystem and said step of tiansmitting trans- 

elcctrooic transaction, said request induding the idcn- action data to said second party indudes a step of j^jpending 

tity of said trusted device; a digital signature of said trusted device created with said 

determining, by said third party, that said trusted device first key. 

should be authorized to engage in said transaction at 9. A method as in daim 5 wheran said identity certifi- 

least in part in accordance with a determination that cation includes a public key of a public-private key pair for 

said trusted device will operate only in accordance with said trusted device and said request transmitting step 

said rules; indudes ^)pcnding a digital signature of said trusted device 

electronically transmitting from said third party to said 3 ^ created with said device pnvate key to said request so that 

trusted device authorization to engage in said electronic said third party can confirm that said request came from said 

transaction, said authorization induding certification trusted device. 

that said ttiird party provided said authOTization; 10. A method as in claim 8 wherein said step of trans- 

electronically transmitting firom said trusted device lo said mitting transaction data to said second party indudes a step 

second psity said certification as assurance that said 40 of transmittiag said second key to said second party. 

trusted device is authorized to engage in said electronic 11. A method as in claim 8 wherein said first and second 

transaction and will do so only in accca-dancc wi& said device keys are private and public keys respectivdy. 

12. A method as in claim 10 wherein said first and second 

dectronically transmitting transaction data from said device beys are private and public keys respectively. 

tmsted device to said second party in acccrdance with 

said rules. * « « « * 
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ABSTRACT 


A system (100) and method of improving activation security 
allows a remote device (104) to identify that there is a 
difference between a first signal transmitted by a central site 
(102) and a first signal received by the remote device. A 
derived nunabcr is used. The derived number can be dis- 
played to the user f(x verbal verification by the user, or the 
derived number can be used internally of the remote device, 
or the central site, for verification that is transparent to ^e 
user. A significant amount of security is added without 
substantially altering the communication protocol. 

30 Claims, 5 Drawing Sheets 
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COMMUNICATION METHOD ANO DEVICE and insert nacssages. A successfiji man-iD-thc-middle can 

deceive both the phone and the service provider into think- 

FIELD OF THE INVENTION ing that they are talking to each other when in reality each 

side is talldng to the intruder. If the man-in-the-iniddle attack 

This present invention pertains to a secure system and a ^ discovered. acUon can l>e taken to defeat the attack. Thus 

method therefor, and more particularly an improved system ^^^^^.^ .^j^^^jg^ ^^^^^ ^^^^^^ to the "A-key" 

and method for monitonng a conunumcation Unk. without the knowledge of cither side, 

BACKGROUND OF THE INVENTION ^ desirable to provide |H-otcction by identifying the 

presence of an intruder in the conunuoication link. 

A device is personalized for subscription to a fee service lO 

by being provided with a unique identity upon initialization BRIEF DESCRimON OF THE DRAWINGS 

of the service. It is desirable to personalize the remote device ^ . .„ * • 

from a central site in systcnTTudi as ceUular tdephone » « « sy«em diagram dlustrating a pr.or art remote 

systems, cable telephone systems, networks and other com- <»cvicc and central site. 

munication systems, to ease distribution and provide flex- 15 FIG. 2 is a system diagram illustrating a prior art cellular 

ibility in installation. It is further desirable to protect these system 

credentials against interception during transmission to the FIG. 3 is a schematic illustrating a prior ait cellular 

legitimate device. For example, it is desirable to prevent system activation protocol. 

'•pirates'* from downloading the aedentials to odier "blank" piG. 4 is a schematic illustrating a cellular system accord- 
devices thereby enabling these other devices to masquerade 20 |j,g (q piG. 3 and including an intruder, 
as the legitimate device when accessing fee services. 5 13 ^ iUustrating operation of a remote 

One proposed solution to this fraud problem is for the unit, 

service provider to give a secret number to each legitimate FIG. 6 is a flow chart illustrating operation of a central 

device upon activation of a fee subscription. Later, when the ^-^^ 

device attempts to gain system access, it must prove that it ^ * 1* 

. T if ^ !• •* „\r . FIG. 7 IS a flow chait illustratmg operation of an alternate 

has the secret number without reveaLng It ovcx the air. This , ^. , , * *^ 

process is called "authentication^. Protocols for authentica- emboduncnt of the remote umt 

tion exist in many systems. For example, cellular systems, DETAILED DESCRIFnON OF THE 

including the Global System for Mobile Communications DDcroDocr* iTi^nnnunTMTC 

(GSM), the United States Digital Cellular (USDC) system, ^ PREFERRED EMBODIMENTS 

and the Digital European Cordless Telecommunications A system and method of improving communication link 

(DECT) systems, have such protocols. In these systems, the security allows the subscriber devicc*to verify reception of 

remote device is a phone. a first signal, which is at least a component of a public key."" 

One of the difficulties to be overcome when in^lementing transmitted between a central site and a remote device. A 

authentication is the problem of providing the remote device derived numba is used to vaify receptioni* The derived 

with a secret number. In GSM, a smart card containing the number can be displayed for use in verbal vcrificationr ar tlfe 

secret number is given to the subscriber. The subscriber must derived number can be used internally of the remote 4?vic^ 

physically insert it into the phone by means erf a specially- and the centrd|itc. for verifibatibn that is transparent to the 

designed slot Although smart cards insure that Ac phone usor. A significant amount of security is added without 

has the correct secret number, they introduce the need for a ^ substantially altering the communication protocol, 

complex mechanical and electrical interface. Furthermore, it A system 100 (FIG. 1) has a central site 102 and a remote 

limits the size, fann factor, and ultimately the cost, of the device 104 that are coupled by a communication link 106. 

I^one. The central site 102 can be a base station, a service provider 

Another proposal is for the subscriber to manuaUy enter 45 ofBce, or a central switching center in' a wireless commu^? 

the secret number into the remote device, such as a tele- nication sjgtem. Alternatively, it can be a switching office, a 

phone handset using its keypad. This method has been slow utility office, or a network server in a land-line cable or 

to gain acceptance, due to a perceived user inconvenience. twisted wire communication system In a two-way radio or 

Additionally, many devices, such as cable boxes and ptagers pager system, the central site can be a base station, a fixed 

do not have a keypad. Requiring a keypad in such devices ^ site, or another portable device. Accordingly, as used herein, 

will increase their cost and possibly their size. "central site" refers to each of these or their equivalents. 

It has also been proposed to use remote service The remote device 104 can be a telephone, a cable 

provisioning, such as "over-the-air" service provisioning telq)hony interface device, a cellular radiotelephone, a cord- 

(OTASP), to initialize a fee subscription service. By means less radiotelephone, a radio, a personal digital assistant 

of a suitable protocol, it is possible for a service provider to 55 (PDA), a pager; a palm-top con^utcr, a personal compute, 

remotely program a blank remote device widiout any direct or other device which communicates with another compat- 

interaction by the service shop or retailer. One of the ible device. Accordingly, as used herein, remote device 

components of the information conveyed is the secret refers to each of these devices and their equivalents. The 

number, called the "A-key**, used for authentication. The use communication link 105 can be an RF link, a cable, twisted 

erf a public key exchange insures that the air, line or cable wires, an asynchronous transport mechanism (ATM), or the 

interface transactions are not vulnerable to simple eaves- like, and "communication link" as used herein refers to each 

dropping and subsequent misuse of the secure information of these or their equivalents. 

conveyed. The present invention is advanUgeous in a system where 

Although the public key exchange is impervious to simple devices communicate secure information. The present 

interception, it is vulnerable to a so-called ^'man-in-the- 65 invention is particularly advantageous in a system en^loy- 

middle" attack. In such an attack, an intruder breaks into the ing an authentication key, or **A-key". or other secure 

communications link at precisely the **right" time to read number. A-keys and their derivatives are employed in such 
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systems to provide access control and to establish secure ^device 104 is uoiqucly identified by an address or serial 

means for transmission of user traffic. However, improved nuratJerrFor example, a cable telephony interface device, or 

monitoring of security f<M- an "over-the-air service provi- a mobile subscriber terminal, which may be a portable 

siotting** (OTASP) protocol by which a remote device is radiotelephone, a radiotelejrfione installed in a car. or any 

activated from a central site is highly desirable. In such 5 other class of cellular phone, have an electronic serial 

environments it is desirable to protect against intruders, in number (ESN) and a subscription identification (ID). At a 

ordex to reduce the risk that a subscriber's number will be minimum, the subscription TD is transmitted to ^e central 

given to a plurality of devices which will masquerade as the site 102. This subscription ID is stored in the remote device^ 

legitimate subscriber. If the intruder succeeds, the legitimate memory 156 or in a portable memory which is inserted into 

subscriber is likely to be billed for the masquerading party's jq the mobile subscriber terminal remote device 104. The 

use of die service. central site uses this subscription ID for identification of the 

System 100 includes a central site 102 and a remote subscriba, and more specifically, for billing purposes, 

device 104. coupled by a communication link 105. The Accordingly, the subscription ID is intended for use in only 

central site 102 includes a transmitter 106 communicating remote device. 

signals to communication link 105. The transmitter 106 can ^^iyation device 104 incliides associating^ 
be in4)lemented using any suitable commercially available jhe electronic serial number, or address, with a, particular ^ 
transmitter, such as an RF modulation circuit, a light source. subscribcr?^For this ptnjwse. a-telephone number and sub- ^ 
or other commercially available communication device. The sermon ID are stored in the remote device, if they are not 
transmitter 106 is coupled to a controller 108 via conductor, already loaded. This can take place at the service provider's *, 
(X bus. 110. The controller outputs signals for transmission 20 facility, or from the central site 102 through the commuiii- 
by transmitter 106. The controller is coupled to a memory' cation link 105. In cellular systems, this is referred to as 
114 via a bus 116 and a display 118 via bus 117. The totmocy **over-thc-air service provisioning". As used herein, over- 
stores information used by the controller 10 8^T!hugjgon troller the-air service provisioning refers to activation of remote 
108 isjcoupled to an activation circuit 120]f®?^mductor. device from a central site regardless of whether oonununi- 
or^t^s^^l22. The activation circuit includes subscriber^spe- 25 ^^^^ is an RF wireless link, a cable, a network, a tele- 
diic data, such as a serial numbers The controller 108 may phones system or the like. 

be implemented using any suitable commercially available A cellular OTASP system will now be described f<^ 

microprocessor, computer, or the like. The activation circuity illustrative purposes, as the invention is advantageous for 

can be in4>lemented using a data base, a personal computer, this enviroiunent A base station 202 ^G. 2) is connected^ 

<» a^ntralized computer systeiS A program controlling 30 to a reinQtc 49yioe 1^ (a cdlUlar tclei^onc) through a^ 

operation of die controller is stcsed in the memory 114; con]mimk:iti<Hi 1^ which is an RF vi^icss link. The 

whid) may be a chip noemory device, a floppy memopr, a base station is in turn connected to the service provider 

tape memory, or the like. The display is implemented using central site 102 through a ntobile switching office, or centdr, 

any suitable means such as a liquid crystal display, a light 206. A local public switched telephone network (PSTN) 208 

emitting diode display, a cathode display, or the like. The 33 is also connected to the mobile switching center 206. The 

central site can also include a receiver 124 comtected to service provider central site 102 facility includes a 

controller 108 and communication link 105 for receiving transceiver, having transmitter 106 and receiver 124. a 

signals from the communication link 105 and inputting them controller 108. a memory 114, and a display 118. 

to the controller, tkcrd)y facilitating bi-directional commu- The service provider, a central site, can also include a 

nications. 40 home location register (HLR). an authentication center (AC) 

^ The remote device 104mdudg^rig;^^ to and an over-the-air functionality (OTAF) for ovcr-lhe-air 

<in]^mg|dQ|ivlmlDnl05 142 via service provisioning. U has become desirable for ovcr-the^ 

conduc&r, cS bus* 144. The receiver 140 is implemented air service j^visionii^ to provide the subscription ED to the 

using an RFrecdvcr, a light sensitive device, or other means remote device 104, a mobile subscriber in the cellular 

compatible with transmitter 106. The receiva demodulates 45 system. This allows the subsoiption ID to be down-loaded 

signals, or otherwise converts signals received from com- from the central site 102, the service i^ovider faciUty, to the 

munication link 105 into signals useable by controller 142. subscriber remote device 104. In the OTASP protocol, a 

The controller s 142 can be implemented using a subscriber purchases a ^blank^ remote device, which is a 
inicroprocessor, a digital signal processor, a microconiputer,^ remote device having no subscription ID. This remote 

or the like. Tlfe controller 142 is coupled to a display 148 via so device can originate a special purpose call to any of several 

a bus 149. The display is implemented using a cathode service providers (such as service provider central site 102) 

display, an LED display, a liquid crystal display, or other to request activation. 

suitable display means. The contrcdler controls display 148 With reference to HG. 3, once the base station 202 

to generate images for viewing by a user. The device need recognizes the special-purpose call on the control channel.^ 

not have a display. A memory circuit 156 is connected to 33 the potential subscriber is routed through a voice channel to 

con&oller 142 via data bus 158. The memory stores an-v the service provider to exchange OTA messages between the 

operating program for the controller and secure information service provider central site 102 and the mobile subscriber 

received from the central site 102. The memory can 'be remote device 104. In a Rivest. Shamir, Adlcman (RSA) 

implemented using any suitable memory means, such^as a einb^UrBSnt^thc public-key modulus NIms transmitted to 

ch4> EEPROM (electronically erasable read only menkory). 60 the remote device KWfrbm the service provider controller 

a tape memory, a disk niemory or the like. The reniote device 108. Nlis diepubUciiiodulus,anditis tfiepr<kiu<io^ aifd 

can also include a transmitter 160 coupled between'' the Ql.-ftwottseoBt^nuniberswstored'iH^th^raerDQry 114 and 

controller 142 and the cormnunication link 105 to transmit ^ having a known critcria.,The remote device 104 responds to^ 

signals, thereby facilitating bi-directional communications. the niodulus Nl by gen^ting a c^)hertext number C. which 

In operation, the central site 102 communicates with a 63 is a function of the modulus Nl. a random number n 

remote device 104 via signals transmitted on comiminication generated by the remote device 104. and an arbitrary number 

link 105. In existing fee for service systems, the remote e. The value of e is known to both the remote device 104 and 
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the central site 102. The respoasc C Is sent from the device five hundred characters. A character as used herein is a 
to the service provider. When the ciphertext number C is > binary bit. The controller 142 then controls display 148 to 

received by the service provider, it is decoded using the display 7 to 12 alpha-numeric values related diereto. as 

equation 0=0^* mod Nl? to determine n. The random indicated in blockSM. Alternately, the alpha-numeric values 

number n is subsequently used to encrypt the authentication 5 may be converted into an audio signal output using a speaker 

key, otherwise known as the A-key. The encrypted A-key is (not shown). The 7 to 12 alpha-numeric values may be 

communicated to the remote device 104 from the service related to the first characters of the modulus, the last 

provider central site 102. Once the A-key is known to both characters of Ae nnxiulus, a hash of all the characters of the 

parties, a series of messages are then exchanged between the modulus, an exclusive OR of certain characters of the 

central site 102 and the remote device 104 by which a modulus, a CRC value of the modulus, a cryptographic 

security related variable called shared secret data (SSD) is check sum of the modulus, or may be of any other suitable 

mutually calculated by both the remote device 104 and the relationship to the modulus. The mathematical relationship 

service provider central site 102. During over-the-air is predetermined and stored in the remote device 104 

activation, the SSD is available for use in protecting user memory 156 (RG. 2). 

confidential information, such as credit card numbers. Each The controller 108 of the central site 102 likewise gen- 

of the messages described in this paragraph is potentially erates a number for display 118 having the same relationship 

vulnerable to a "man-in-the-middle'* attack. to the modulus Nl. The user can then read die characters on 

A man-in-the middle attack (FIG. 4) occurs when an the di^lay 148 to the service provider operator, who is 

intruder 400 inserts himself into the transmission path at the simultaneously reading the display 118. If the numbers do 

beginning of the first base station 202 to remote device 104 20 match, the OTASP process is aborted. This provides 

message. The intruder intercepts the base station modulus security since it will be difficult for the intruder to continue 

Nl. replaces it with another modulus N2. and then passes operating between remote device 104 and central site 102 

this modulus N2 to die unsuspecting noobile subscriber and to mimic the voice of the subscriber without introducing 

remote device 104. The mobile subscriber remote device a substantial delay period. It is likewise not feasible for the 

104 sends a random number encrypted using the intruder's 25 Intruder to quickly generate a modulus different form Nl but 

modulus N2 back to the intruder. Upon decryption, the producing the same derived number. A disadvantage of this 

intruder re-encrypts the random number n using the base method is that the user must communicate with a service 

station modulus Nl and passes this number to the base provider operator, whereas it is desirable for the verification 

station 202. At this point the remote device 104. the intruder to be transparent to the user. Another disadvantage is that 

400 and the service provider central site 102. have the same 30 this method does not wcrk in devices lacking a display or 

randomly-generated number n. The intruder can remove speaker system. 

himself from an active role in the base station-remote device One method of determining that the correct modulus has 

communication link 105. The encrypted A-key can then be been received without the assistance of an operator and a 

decrypted by both the remote device 104 and by the intruder. display is to transmit a derived value to the remote device 

likewise, the intruder can derive shared secret data (SSD) 35 104 from the central site 102. At die central site 102, a 

by eavesdropping on the communication link 105 and mak- modulus signal Nl is calculated, as indicated in block 600 

ing use of the A-key. During OTASP. the intruder can obtain (FIG. 6). The central site 102 also calculates a derived value 

thesubscriberlDusingdieA-Key and thereafter load it into having a predetermined relationship to the modulus, as 

other devices, thereby putting himself in a position to indicated in block 602. The modulus and the derived value 

commit fraud against the service provider and the legitimate 40 are transmitted as indicated In blocks 604 and 606. The order 

subscriber. of transmission of these signals is not important The acti- 

It is noted that a second base station 202' and mobile vation process is carried out as indicated in block 608, 

switching center 206* are shown in FIGS. 3 and 4 to Ulustiate unless an abort signal is received from the remote device 

a more complex system It is also noted that although the 104. Activation includes transmission of an A-key and other 

task of splicing into and out of a signaling ^change is 45 signals acccH'ding to the activation protocoL 

difficult in an RF enviroimient such as radiotel^one The remote device 104 performs verification functions, 

environment, it may be accomplished at some time. This is The remote device receiver 140 (FIG. 1) receives the derived 

especially true if the attack need only last for a short time, value and the modulus, as indicated in blocks 700 (FIG. 7) 

as would be required for die modification of selected bursts. and 702. The controller 142 monitors the communication 

Further, for brevity, the remaining discussion will be of 50 h'nic by checking the derived value against the modulus, as 

transmission of a derived value signal from central site 102 indicated in block 704. If the derived value does not have the 

to the remote device 104, but it will be recognized that these predetermined relationship to the actually received modulus, 

roles can be reversed, and the derived value signal can be the process is aborted, as indicated in block 706. The system 

sent to the central site from the remote device. can be arranged such that monitixing the link can be 

To provide improved (protection, the remote device 104 55 performed continuously or periodically. Monitoring can be 

must be able to determine if it has received the same performed prior to or throughout the authentication, or 

modulus Nl as transmitted by the service provider central activation, process. If the process is aborted, an abort signal 

site 102. One method of determining this is for the remote is communicated to the base station 202 and the subscriber 

device 104 (FIG. 2) to perform a prescribed calculation on may be tnstiucted on the display 148 to contract the service 

the received modulus, in order to generate and display a 60 provider central site 102. Security is provided because it is 

derived signal. The process is initiated, as shown in block difficult for the intruder to find his own pair of modulus 

500 (FIG. 5). wherein the modulus is received by remote factors such that his derived value is equivalent to that of the 

device 104. The controller 142 then generates a derived service provider's modulus. Thus, only by changing the 

signal related to this received hkxIuIus. as indicated in block modulus factors can the intruder decrypt the number n and 

502. The derived signal is shown in display 148. as indicated 65 then obtain the audientication key. Without the authentica- 

tn block 504. Fca* exan^le. the controller 142 receives a tion key, the intruder can not learn the subscription ED or 

modulus N, which is a long nunit>er, preferably having over other secret Infonnation. However, if the intruder changes 
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the modulus, the derived value received from the central site 
will DOt bear the predetermiDed relationship to the iotruder's 
modulus, aod the device will flag the insertion of the 
intruder* s modulus and abort the activation process. 

The derived value can be transmitted globally, for use by 
all remote devices in communication with a base station 202. 
One message that can be used for this is a Global RAND 
(RAND being an abbreviation for a random or arbitrary 
number) in existing USDC telephone systems. The Global 
RAND is a number broadcast by a base station 292 to all 
mobile stations on die control channel. When the mobile 
subscriber remote device 104 is attempting system access, it 
will respond to this global chaUenge in order to perform an 
authentication function. The Global RAND is 32 bits in 
length, and is expected to change at least several tiroes per 
hour. 

Security is provided by specifying that a mathematical 
relationship exist between the service provider central site 
102 generated okxIuIus N1 and the global number. It is 
desirable, but not necessary, that the global number not 
change during the course of an OTASP protocoL The global 
number is transmitted to all remote devices before or after 
transmission of the modulus. The service provider central 
site 102 or the base station 202 generates tiie global message 
from Nl. and the mathematical relationship of these num- 
bers is known to the remote device 104 and the service 
provider central site 102. For example, the Global RAND 
can be the exclusive-or of 32 segments of Nl. therdsy 
providing the 32 bit number. Other mathematical relation- 
ships are equally feasible. I^eferably a new Global RAND 
is generated at a rate of several times per horn, or once a 
minute. The global number is a function of Nl, which in turn 
is a function of PI and Ql. Those skilled in the art will 
recognize that PI and Ql are seaet numbers generated 
according to known predetermined criteria, and that it is 
very difficult for an intruder to generate a suitable PI. Ql 
and Global RAND meeting all the existing criteria for each 
these numbers. 

During the ]^ocess of over-the-air service ]xx)visioning. 
the remote device 104 verifies that the modulus N received 
on the voice channel from the base station 202 is related to 
die Global RAND previously detected on the control chan- 
nel If N and the Global RAND do not have the predeter- 
mined relationsh^. then the remote device 104 aborts the 
over-the-air service provisioning process. Since an intruder 
cannot regenerate the same modulus as die base station, his 
modulus will not be related to the Global RAND. 

In an attempt to counter this improvement a dedicated 
intruder might attempt to deceive the remote device by 
masquerading as a base station having a Global RAND that 
is related to the intruder's modulus N2. To do this, the 
intruder must **$plice" into a control channel and replace the 
Glottal RAND on a relatively long-term basis to deceive a 
potential target remote device prior to the target user*s 
attempt to access OTA services. However, tfiis would cause 
other remote devices within range of the intruder station to 
try to perform call origination using the intruder's Global 
RAND after locking onto Ae false control channel. Any 
reuKte devices using the intruder's Global RAND for either 
origination or page reposes would fail authentication and 
trigger an alarm at the master switching statioa Thus* the 
intruder risks causing disruption of service to other remote 
devices and subsequent detection at the base station 202. 

Two alternate embodiments are envisioned which use a 
device specific derived value. In the first alternate 
embodiment, a unique signal related to Nl and for a specific 
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user is employed. An example of such a signal which is 
proposed for the US digital system, is the RANDSSD signal 
transmitted over the voice channel. The RANDSSD is a 56 
bit number that is shared by a remote device and the 

5 authentication station, and is sent to the remote device 104 
during over-the-air service provisioning. The remote device 
uses the RANDSSD to generate "Shared Secret Data" (SSD) 
in a known manner. This random number is preferably 
maintained throughout die OTA process to prevent the 
intruder from only having to stay in the link until the A-key 
is generated. Shared secret data is for use in audientication 
responses and session key generation of future connections. 
It is stored in the authentication center of tiie service 
provider central site 102 with die remote devices sut>$crip- 
tion ID. It is periodically updated, and may for example be 
updated after the user returns from a trip during which the 
unit has left their honoe zone, which is stored in the home 
zone register. Alternately, the SSD can be updated 
periodically, such as on a monthly or ycariy basis. 
To provide security to the OTASP process, the service 

20 provider central site 102 generates a RANDSSD having a 
predetermined mathematical relationship to the modulus Nl. 
Again, this can be any suitable mathematical relationship, 
such as the exclusive-or of 32 segments of Nl. The remote 
device determines if the RANDSSD has the predetermined 

25 relationship to the noodulus N2 actually received by it If die 
predetermined mathematical relationsh^ does not exist 
between these numbers, the process Is aborted. 

Even if the intruder has successfully spliced into an OTA 
session and obtained an A-key by sending his own modulus 

30 N2 (FIG. 3), he can not avoid detection at the remote device 
104 by simply passing along die RANDSSD from die 
central site 102 because the RANDSSD is related to Nl. and 
not to N2. If the intruder derives his own version of 
RANDSSD, namely RANDSSD2. based on his N2. die SSD 
calculated at the remote device 104 from RANDSSD2 will 
not match die SSD derived from RANDSSDl and stored in 
the central site 102 authentication center. In order to con- 
tinue the charade, the intruder is forced to stay *'in-th6- 
middle** throughout the verbal portion of over-the-air service 
provisioning because two different session keys (one on 

^ cither side of the intruder) will need to be maintained. 

AdditionaUy, a value of SSD derived from RANDSSD2 
will cause die remote device 104 to generate an in^M-oper 
audientication response when it attempts authentication with 
the service provider central site lOZ This results because the 

45 SSD stored in die remote device 104 is derived from 
RANDSSD2 whereas the SSD stored in die AC of service 
provider central site 102 is derived from RANDSSDl. In 
fumre communications, the remote device 104 will fail 
continue audientication when it attempts to access service 

30 without the intruder interceding. This alerts the service 
provider of a problem in authentication, and reactivation can 
be performed as a remedy. 

The second alternate embodiment creates a mathematical 
relation between die modulus Nl and a session number used 

55 in a communication session, such as a seed for a session key. 
A session is the period t>etween establishing and terminating 
a complete connection, such as the connection during which 
the over-die-air service provisioning i^ocess takes place, or 
the like. An example of a session number that rtiay be used 

60 is a 32 bit RAND ^Ye-authenticadon" number, a session seed 
transmitted over the voice channel in the USDC system. 
During re-authentication, the base station 202 {a service 
provider central site 102) and the remote device 104 gen- 
erate a session key from the RAND re-audientication for use 

65 during the verbal component of over-die-air service provi- 
sioning. "Re-authentication" occurs after die SSD is gener- 
ated. 
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In the USDC system, the remote device 104 checks to be generated from the same modulus. The modulus can then 

verily that the value of RAND re-authentication signal is be changed rarely, while the random number can be changed 

related to Nl. In other systems, where the session number is often. Because it is very difQcult for the intruder to find a 

maintained throughout the session, the relationship can be new derived value that matches the 40 bits, security is 

periodically communicated and vcriiicd. and if at any time 5 provided. It will be recognized that the division of derived 

during the session the relationship is not met, the remote and random bits can be diflferent. For example. 36 bits 

device aborts the process. The session number is terminated, derived from the modulus and 20 bits random, or any other 

or canceled, at the conclusion of the OTASP session. suitable division of the bits. 

If the intruder matches the RAND re-re-authenticatlon Those skilled in tfie art will recognize that the above RSA 

signal to N2. he can get duplicate copies of a remote device public key cryptography examples are not restrictive, as the 

104 A-key and the resulting SSD. However, he is forced to m^ods disclosed may be applied to other techniques. For 

maintain his position "in-the-middle" throughout the verbal example, the methods may also be used to provide improved 

component of OTASP because the session keys for the security in DiflSe-Hellinan (DH) public key cryptography. In 

remote device 1<W and the central site 102 will differ. DH techniques, a pair of signals are exchanged between die 

Maintenance of this position may be extremely difficult in 15 central site 102 and the remote device 104. Each of diese 

some communications environments. signals would be the result of a calculation whereby a public 

It can be aj^reciale by those skiUed in the ait that other number is raised to a secret power, then divided by 

variable parameters employed in the OTASP protocol for a publicly-known prime modulus N. More particularly, the 

USDC can be used as the derived value. For example, the base station 202 to remote device 104 communication 

unique base station challenge, RANDU, and the remote ^ includes a'^mod N and tiie remote device to base station 

device generated challenge. RANDBS. arc also available for communication includes a^mod N. The values a and N are 

use as the doived value. RANDU is issued to the remote artntrary and known to each party. An exchange of these 

device 104 after SSD is calculated. The remote device numbers and subsequent combination of SI and S2 results in 

generates RANDBS in response to the command to update the establishment of a common secret number between the 

its SSD. Both the remote device 104 and the central site 102 two communicating parties. This common secret number is 

will combine the RANDBS signal with the new value of then available for use as a mask to enciypt the A-Key. The 

SSD just created. This response from die remote device to remainder ctf the OTASP protocol would then proceed as 

the central site is used to confirm that the correct remote described above with respect to RSA. The invention 

device updated its SSD. The central site 102 sends a employs a derived value signal reUted to a^'mod N. It can 

response called AUTHBS to die remote device 104 to ^ be appreciated that the noethods of this invention arc equally 

confirm that the updated SSD order wiginatcd from a effective when combined with the DH technique, the RSA 

legitimate central site. technique, or o^er techniques. Thus, the *first number** as 

me avoid detection when either (be RANDU or the "^«^ ^Heiii refers to this numba ^^'^j* " ""«r'="' °f 

RANDBS signals aie used as the derived value, the intruda „ ^hcpibhc kcy m a DH techmquc the modulus N in the RSA 

needs to bre^ into the commuiiication link and force false " technique which is a component of the P^bbc key or any 

messagestwice.'niefirsttimeiswhenlheintniderinter«pls fV''^^ " f""***""' ^l*^* 

Nl and transmits N2. receives the random number n from P'«*"" advantageously employed in other 

renoote device 104, and retransmits n to the base station 202. systems. 

The second time is when the intruder needs to intercept ^ The a^^ove protocols of OTASP employ at least a com- 

RANDU or RANDBS, respond to the sender, and carries on ponent of a public key in the initial exchange, and more 

the second half of the subprotocol associated with each of particularly, the examples as described utilize RSA or DH 

RANDU and RANDBS. Security is improved because it techniques. Ottier pubHc key techniques can alternately be 

will be difficult for the intruder to maintain a prolonged used. For example, elliptic curve public key can be used. It 

connection, or break in at cxactiy the right time to intercept will also be recognized that cUiptic curve cryptography can 

the communications and derive q)prcpriate modulus and ^ used to iniplemcnt the DH technique, 

derived values. It is also envisioned that the derived value can be gener- 

Regardless of die choice of parameter upon which to »ted from a pluraHty of protocol parameters. For example, 

relate die derived number, die derived number can be the derived value may be distributed among potions of 

advantageously composed of two parts to resolve the fol- 50 ^^^NDSSD and the RAND re-authentication number, Many 

lowing conflicting requirements. It can be desirable to other two signals communicated between die remote device 

change die derived number very often, at least several times the central station. 

per hour. This is especially critical for the Global RAND, Thus it can be seen that security is jwovided by verifying 

which is broadcast system wide. However, it takes a large that the modulus N received by the remote device matches 

amount of computation to generate a new modulus N, and it 55 the modulus N transmitted by the central site 102. This 

may only be possible to change it once a day, or even less security is provided using information that is communicated 

c^n. to avoid overloading the control computer. The sccu- in existing service provisioning protocols. Thus, the protocol 

rity of the system does not require frequent changes when a is not substantially altered by adding this security, 

la^e modulus is used. If the random number is completely Additionally, die security is provided in a manner which 

derived from the modulus according to a predetermined ^ docs not overload the system devices, and provides a high 

mathematical relationship, it cannot be changed naore fre- level of security that is transparent to the user. 

quenUy than the modulus. We claim: 

To avoid this conflict, the derived value consists of two 1* ^ conununication device to effect secure communica- 

portions. For instance, if the RANDSSD were to be used as anodier device, comprising: 

die derived value. 40 bits can be derived from the modulus 65 a receiver to receive signals from the other device; 

and 16 bits can be random numbers indq)eDdent of die a controller coupled to die receiver, the controller recciv- 

modulus. This allows 65.536 different random numbers to ing a first signal which is at least a component of a 
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public key and generating a derived signal, the con- 
troller to participate in verification of a secure commu- 
nication link on which to communicate secure data with 
another device if the derived signal has a predetermined 
relationship to the first signal; and 5 
a display coupled to the controller, wherein the controller 
controls the display to display the derived signal to a 
user for the user^s use in vending that the transmitted 
public key was received. 

2. A communication device to determine secure commu- 
nication with another device prior to communication of an 
authentication key over a communication link between the 
devices, when only one of the devices has the authentication 
key. comprising: 

a receiver to receive signals from the other device; and 
a controller coupled to the receiver, signals received by 
the receiver being conmiunicated to the controller, the 
controller responsive to a first signal, which is at least 
a component of a public key, and a derived signal, 
received by the receiver, to determine if the first signal 
received was altered, the derived signal expected to ^ 
have a predetermined relatioaship to the first signal, 
and if the derived signal does not have the predeter- 
mined relationship with the first signal, identiiying that 
the communication link with the other device is an 
insecure communication link on which the authentic^- 23 
tion key should not be conuminicated. 

3. The conmuinication device as defined in claim 2, 
wherein the controller compares the derived signal to the 
first signal to verify that the first signal and the derived 
signal are related, 30 

4. The conmiunication device as defined in claim 3. 
wherein the device further receives a signal transmitted 
globally, and determines that a communication link is not 
secure if the first signal and the global signal do not have the 
predetermined relationship. 35 

5. The conununication device as defined in claim 4. 
wherein the global signal is a Global RAND signal. 

6. The commuiucation device as defined in claim 3, 
wherein the derived signal is a unique signal specific to the 
device, and the controller determines that a communication 40 
link is not secure if the first signal and the unique signal do 
iK>t have the predetermined relationship. 

7. The communicaticHi device as defined in claim 6. 
w^ierein the first signal is a modulus and the unique signal 

is a RANDSSD signal. 43 

8. The coimminication device as defined in claim 3. 
wherein the derived signal is a unique signal used in an 
authentication challenge, and the controller detcnnines that 
a communication link is not secure if the derived signal and 
the unique signal do not have a predetermined relationship. 50 

9. The communication device as defined in claim 3. 
wherein the device is a remote device, and the derived signal 
is generated by a central site. 

The conmiunication device as defined in claim 9. 
wherein the first signal is a modulus and the derived signal 55 
is a RANDU signal. 

11. The communication device as defined in claim 3, 
wherein the device is a central site, and the derived signal is 
generated by a remote device. 

12. The conununication device as defined In claim 11. 60 
wherein the first signal is a modulus and the derived signal 

is a RANDBS signal. 

13. The communication device as defined in claim 3, 
wherein the derived signal is a session signal, and the 
controller determines that a communication link is not 65 
secure if the first signal and the session signal do not have 

a predetermined relationship. 
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14. The communication device as defined in claim 13, the 
session signal is a seed used to establishing a cryptographic 
key that is used to protect subscriber traffic. 

15. The conununication device as defined in claim 14. 
wherein the first signal is a modulus and the derived signal 
is a RAND re-authentication signal. 

16. The communication device as defined in claim 3. 
wherein the derived signal is partially a fijnction of the first 
signal and partially a second number, whereby a plurality of 
different derived signals are generated from single first 
signal. 

17. The conununication device as defined in claim 16. 
wherein the second number is an arbitrary number. 

18. The communication device as defined in claim 3. 
wherein the first signal is a Diffie-Hellman technique signal. 

19. The communication device as defined in claim 3. 
wherein the derived signal is generated from a plurality of 
different protocol parameters. 

20. A communication device to determine secure com- 
munication with an unclassified device prior to supplying an 
authentication key over a communication link between the 
devices, when only one of the devices has the authentication 
key. comprising: 

a transmitter to generate signals for communication to the 
other device; and 

a controller coupled to the transmitter, the controller 
generating a first signal, that is at least a component of 
a public key. and generating a derived signal having a 
predetermined relationship to the first signal and the 
first signal and the derived signal being output by the 
controller to the transmitter to transmit both signals to 
the other device for use in nK)nitoring the communi- 
cation link prior to transmission of the authentication 
key over the communication link. 

21. The conununication device as defined in claim 20. 
further including a display coupled to the controUer. the 
display displaying the derived signal for an operator. 

22. The conmuinication device as defined in claim 20. 
wherein die derived signal is a global signal transmitted to 
all remote devices in communication with the transmitter. 

23. The communication device as defined in claim 20. 
wherein the conmuinication device is a central site coupled 
to an authentication center, and the derived signal is a unique 
signal associated with a remote device, the derived signal is 
communicated to the authentication center for use in sub- 
sequent communications with the remote device. 

24. The communication device as defined in claim 20. 
wherein the derived signal is a unique signal for use by a 
specific remote device during a session. 

25. The communication device as defined in claim 20. 
wherein derived signal includes two pc»tions. a first portion 
which is derived from the first signal and a second portion 
which is varied, whereby a plurality of different derived 
signals are derived firom a single first signal. 

26. A method of monitoring a communication link 
between a central site and a remote device prior to estab- 
lishing a common authentication key at the central site and 
the remote device, without certification of the remote device, 
conQ)rising the steps of: 

sending a first signal that is at least a component of a 
public key; 

detecting a difference between the first signal transmitted 

and the first signal received; and 
aborting communication if a difference is detected. 

27. The method as defined in claim 26. further including 
the step of comparing a derived signal at the central site with 
a derived signal at the remote device. 
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28. A method of monitoring a communication link to a 
device prior to receipt of an authentication key. the device 
not having the authentication Icey. con^lsing the steps of: 

receiving a lirst signal that is at least a component of a 

public key; 5 
receiving a derived signal; 

determining if the first signal and the derived signal have 

a predetermined relationship; and 
detecting an intruder if the first signal and the derived lo 

signal do not have the predetermined relationship. 

29. The method as deJined in claim 28. who-ein the device 
is a wireless communication device, and fuither including 
the step of receiving a message that is encrypted using the 
public key. is 

30. Id a remote activation system, including 
a central site having 

a first transceiver, and 
a controller coupled to the first transceiver, 
a remote device having 20 
a second transceiver, and 
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a controller coupled to the second transceiver, and 

a communication link between the first transceiver and the 
second transceiver. 

a method of protecting communication of an authentica- 
tion key from the central site to the remote device when 
only the central site has die authentication key. com- 
prising the steps of: 

sending a first signal which is at least a component of a 
public key from the central site to the remote device on 
the cormnunicatlon link; 

sending a derived signal to the remote device at a diffaent 
time than the first signal is sent; 

monitoring the communication link to detect a difference 
between the first signal transmitted by the central site 
and the first signal received at the remote device using 
the derived signal; and 

aborting fiixther secure communications if a difference is 
detected. 

* 4t * * ♦ 
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